Search for previous posts

Blog History


WAF to ALB to private web server

How to create a protected external website environment.

  1. Create the certificate in ACM that will be used to enable HTTPS on the ALB
  2. Add the verification record for the above cert to make it active and usable.
  3. Create ALB target group and register the web instance. Later you might have to adjust the "path" and the "success codes" depending on the backend web configuration.
  4. IMPORTANT: create the ALB in any public subnet that is in the same AZ as the private web instance. The LB will not function if you miss this. Second subnet can be any public one, unless there are two web instances obviously. If so, you need to adjust the load balancing rules and options appropriately.
  5. Create HTTP listener that forwards to HTTPS
  6. Create HTTPS listener that forwards to the target group
  7. Create SG "ALB-external" for ALB allowing appropriate public IPs
  8. Create SG "ALB-internal" for web instance, referencing the above ALB SG to allow LB to run health checks & route traffic. This might be port 80 or 443 depending on whether private VPC traffic from LB to Web instance needs to be encrypted with self-signed IIS cert. IMPORTANT: If the private traffic needs to be encrypted, then you need to adjust the ALB to point to 443 instead of port 80.
  9. Create the WAF and associate the ALB.
  10. Add appropriate AWS Managed WAF rules, such as "Amazon IP reputation list", "Known bad inputs". These rules are free, unlike the one created below on step 11.
  11. Usually a "US Only" rule should be created.
  12. Add the desired CNAME for the FQDN referenced in the above cert record to point to the ALB A record.

No comments:

Post a Comment