I have an existing environment consisting of a public-facing application load balancer forwarding traffic to a windows ec2 host on a private subnet (alb listens on 443 and forwards on 80).
Both resources are in their own security groups with the alb sg whitelisting ingress from the internet and the host sg only allowing port 80 traffic from the alb sg.
I need to add a WAF to this setup and have been googling for simple logistical advice about how to do it, but have not found any answers so far (hence this post!).
Can anyone provide any advice, tips or gotchas for this?
e.g. Do I still need the alb security group if the WAF has its own ACL? If not, how do I do the ingress rule for the host sg? If so, do i need to maintain the same ip whitelist in two places?
thanks in advance :)
From a security perspective if you're maintaining a small number of IP addresses (or CIDR ranges) then you should definitely try to maintain IP addresses within a security group (after all if the WAF was removed you would still want to restrict to IPs). The evaluations will occur at the WAF before the security group.
If you are planning on using a WAF IPSet with a larger range of IPs then you will need to use this as a list of IPs with security group allowing all traffic on those ports. Bare in mind removal of WAF will leave this open.
If you aren't trying to maintain an IP whitelist (such as for a public facing website or API) then you would not need to include the IP whitelist in the WAF instead keeping just the rules you would like to be evaluated.