Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Question about applying AWS Shield Advanced to the internal ALB.

0

I have an architecture with multiple internet-facing Network Load Balancers (NLBs) routing to a single internal Application Load Balancer (ALB) with Web Application Firewall (WAF), which further directs traffic to EC2 instances. (many NLBs -> one ALB(waf) -> EC2 instances) Various services are served through multiple NLBs, and the ALB routes the traffic to each EC2 instance based on the host header.

In this structure, can AWS Shield Advanced be applied to the ALB? Or should AWS Shield Advanced be applied to each NLB separately?

Themen
Sicherheit, Identität & KonformitätVernetzung & Bereitstellung von Inhalten
Tags
AWS ShieldElastic Load Balancing
Sprache
English
znzlek12
gefragt vor 7 Monaten401 Aufrufe
3 Antworten
0
Akzeptierte Antwort

AWS Shield Advanced provides DDoS protection for AWS resources. When it comes to load balancers, it's important to remember where your primary entry points are for incoming internet traffic, as those are typically the points you'd want to defend against Distributed Denial of Service (DDoS) attacks.

Apply AWS Shield Advanced to each of the internet-facing NLBs. This will provide the DDoS protection at the points where your resources are directly exposed to the public internet. Furthermore, continue using AWS WAF on your ALB for protection against more sophisticated layer 7 attacks, such as SQL injection, XSS, etc. While Shield protects against DDoS attacks, WAF provides a separate layer of defense for application layer threats.

Regards, Andrii

profile picture
EXPERTE
Andrii S
beantwortet vor 7 Monaten
0

It is recommended to deploy Shield Advanced to the border of your AWS network, i.e, the NLB as mentioned in the scenario. (Also check If you have additional elements like Route53 hosted zones ahead of the NLB in your traffic flow)

Network Load Balancers can be protected by first attaching the resources to Elastic IP addresses, and then protecting the Elastic IP addresses in Shield Advanced.

AWS
Sujai Joy
beantwortet vor 7 Monaten
0

For full protection in this situation you should apply Shield Advanced protection to each NLB (for layer 3/4 detection and mitigation at the network border) and to each ALB with a WAF WebACL for layer 7 (RequestFlood) detection and mitigation (if you have enabled Automatic Application layer protection).

Having said that, if you are cost sensitive to Shield DTO you could possibly get away with not enabling Protection for the NLBs, as NLB will scale rapidly in response to an attack and also drop any traffic not matching a listener. NLB targets on non-TLS listeners can be sensitive to SYN flood attacks, however an ALB target should scale in response to SYN flood. One thing to watch out for is making sure that any security groups associated with the ALB do not have security group connection tracking enabled, by ensuring that Ingress rules allow traffic from 0.0.0.0/0 and that egress rules allow traffic to 0.0.0.0/0.

AWS
AWS-User-knoxy
beantwortet vor 5 Monaten

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt