Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

WAF with Global Accelerator

2

Hello

We have a WAF rule which disallows certain IPs (based on geography). In our original configuration, we had:

Global Accelerator --> Internet Facing ALB (w/ WAF integration) --> ECS cluster

as part of a security review, we noticed that those ALB don't need to be Internet-facing, i.e., they could be Internal-facing and on Private Subnets.

The proposed config is:

Global Accelerator --> Internal ALB --> ECS Cluster

and we have shown this works. However, we also noticed its possible to have WAF Integration with the Internal ALB.

In this use case, is the WAF rule still effective? Will it still enforce the IP restrictions (seems that would only work if GA preserved the source IP)?

Thank you!

Temas
Redes y entrega de contenidoSeguridad, identidad y cumplimiento
Etiquetas
AWS Global AcceleratorAWS WAFBalanceo de carga elástica
Idioma
English
rePost-User-ellicottcity
preguntada hace un año1930 visualizaciones
1 Respuesta
1

The design you describe should work fine, see below statement from the documentation:

When you use an internal Application Load Balancer or an EC2 instance with Global Accelerator, the endpoint always has client IP address preservation enabled.

Reference: https://docs.aws.amazon.com/global-accelerator/latest/dg/preserve-client-ip-address.html

profile pictureAWS
EXPERTO
Tushar_J
respondido hace un año
profile pictureAWS
EXPERTO
Brettski-AWS
revisado hace un año

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante