DEV Community

Arun Kumar for AWS Community Builders

Posted on

4

WAF for ALBs

Overview

WAF support for ALB is now available in many regions.

Clients want to provide a pattern of using ALB → (Lambda | EC2) to be secured via WAF (and HTTPS).

Clients want to minimise the maintenance footprint of adding WAF for many applications.

Architecture

arch

Pricing Details

WAF Pricing

a. WAF

  • $5 per web ACL per month
  • $1 per rule per web ACL per month (assume one rule = “core-waf-automations — SQL Injection Rule”)
  • $0.60 per million web requests

b. F5

  • Charge per month in each available region (pro-rated by the hour) $20 / unit
  • Charge per million requests in each available region $1.2 / unit

Estimates

a. WAF Pricing

  • 12 web acls (6x2 acls)
  • 10 rules per WebACL = 120 rules total = $120
  • 100 million requests = $60
  • $2,160 Annual cost

b. Market place pricing — 4x F5 managed rulesets

  • $480 for $80 per account per region per month x 6
  • $480 for 100 million requests x 4 rulesets (total requests across all accounts / regions)
  • $11,520 Annual cost

c. Total pricing estimate

  • $13,680 annual total

Solutions

a. Author is AWS themselves

b. Without dedicated security team — “web application firewall strategy” can be a hassle (even with one)

c. AWS WAF ACL — central inspection and decision point for incoming requests (for all apps that use it)

  • This solution has a bunch of preconfigured rules for use with ALB, CloudFront

  • I’m assuming we can easily integrate with marketplace rules, like the F5 ones.

d. Log analysis — more than just “waf rules to apply” — there’s mechanisms for updating rules:

  • Both WAF logs and App logs can be parsed by Athena/Lamdba to inform on HTTP Flood, Scanners & Probes

  • Scheduled cloudwatch event rule triggers lambda to maintain IP Reputation Lists

  • Bot lists also updated via a lambda.

Types of Rules

a. White/black listing (manual lists)

  • No automation setup around these lists — is the expectation you manage via AWS Console?

b. SQL Injection, XSS (patterns in URI, querystring, request body)

c. HTTP Flood (web-layer DDoS, brute force logins)

  • ConfigureRateBasedRule (Custom::ConfigureRateBasedRule — HttpFloodProtectionRateBasedRuleActivated)

d. Scanners & Probes (abnormal amount errors from an origin)

e. IP Reputation Lists (3rd party lists hourly updated)

  • spamhaus.org
  • torproject.org
  • emergingthreats.net

f. Bad Bot (honeypot to attract bots)

  • ApiGateway, Lambda

Do your career a big favor. Join DEV. (The website you're on right now)

It takes one minute, it's free, and is worth it for your career.

Get started

Community matters

Top comments (0)

Create a simple OTP system with AWS Serverless cover image

Create a simple OTP system with AWS Serverless

Implement a One Time Password (OTP) system with AWS Serverless services including Lambda, API Gateway, DynamoDB, Simple Email Service (SES), and Amplify Web Hosting using VueJS for the frontend.

Read full post

👋 Kindness is contagious

Immerse yourself in a wealth of knowledge with this piece, supported by the inclusive DEV Community—every developer, no matter where they are in their journey, is invited to contribute to our collective wisdom.

A simple “thank you” goes a long way—express your gratitude below in the comments!

Gathering insights enriches our journey on DEV and fortifies our community ties. Did you find this article valuable? Taking a moment to thank the author can have a significant impact.

Okay