aws WAF in front of ec2-instance with traefik

Question

I run my microservices currently on a ec2-instance(aws) with traefik/letencrypt in front of them. "WebBrowser" -> Internet -> (EC2 with traefik) All is fine. Now I want to to use the AWS-WAF. However to use this WAF service I have to plug an application load balancer between my ec2-instance and WAF service.

"WebBrowser" -> Internet -> WAF -> ALB -> (EC2 with traefik)

First question: Does this approach seem viable? Second question: Has anyone practical experience with it? Currently I try to build the ALB with terraform and get an error that at least " two subnets in two different Availability Zones must be specified"...

According to the aws documentation(https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/how-elastic-load-balancing-works.html) this seems clearly intended:

"With an Application Load Balancer, we require you to enable multiple Availability Zones."

Hm, I have currently only one ec2-machine with all my services...

Maybe someone has done this already and can point me in the right direction.

Thomas

Answer 1

"WebBrowser" -> Internet -> WAF -> ALB -> (EC2 with traefik)

When you are going to use ALB, I do not think you need traefik/letencrypt, as the ALB provide approx all the functionally that taefik does. You can use AWS certificate with ALB and its totally free.

You should terminate TLS traffic and send plain HTTP traffic to the instance as encryption/decryption is CPU intensive task.

"With an Application Load Balancer, we require you to enable multiple Availability Zones."

Yes, you should provide two availability zones to your LB, do not mix it with one instance.

I have currently only one ec2-machine with all my services

It's okay if you have one instance, the zone you need to specify for ALB not for the instance itself.

Answer 2

When you have a WAF you have a choice of the following you can apply it to:

• CloudFront
• Application Load Balancer
• API Gateway

You do not exclusively need an ALB, you could add CloudFront as a CDN instead in front of your host. However, I would say as you're trying to improve your security having an Application Load Balancer and moving your application instance into a private subnet would be the best approach.

You require at least 2 subnets that are distributed across different availability zones. By having this it allows you to maintain high availability with your Load Balancer incase of a particular node fail. Your EC2 instance does not need to be in the same subnet or availability zone. In fact AWS employs cross-zone load balancing.

The Load Balancer only supports an SSL from ACM, you can either upload your own or use the ACM managed certificate which will be auto generated and renewed for you. I would choose the latter option as it will remove the overhead of you rotating the SSL.