- Più recenti
- Maggior numero di voti
- Maggior numero di commenti
AWS Shield Advanced provides DDoS protection for AWS resources. When it comes to load balancers, it's important to remember where your primary entry points are for incoming internet traffic, as those are typically the points you'd want to defend against Distributed Denial of Service (DDoS) attacks.
Apply AWS Shield Advanced to each of the internet-facing NLBs. This will provide the DDoS protection at the points where your resources are directly exposed to the public internet. Furthermore, continue using AWS WAF on your ALB for protection against more sophisticated layer 7 attacks, such as SQL injection, XSS, etc. While Shield protects against DDoS attacks, WAF provides a separate layer of defense for application layer threats.
Regards, Andrii
It is recommended to deploy Shield Advanced to the border of your AWS network, i.e, the NLB as mentioned in the scenario. (Also check If you have additional elements like Route53 hosted zones ahead of the NLB in your traffic flow)
Network Load Balancers can be protected by first attaching the resources to Elastic IP addresses, and then protecting the Elastic IP addresses in Shield Advanced.
For full protection in this situation you should apply Shield Advanced protection to each NLB (for layer 3/4 detection and mitigation at the network border) and to each ALB with a WAF WebACL for layer 7 (RequestFlood) detection and mitigation (if you have enabled Automatic Application layer protection).
Having said that, if you are cost sensitive to Shield DTO you could possibly get away with not enabling Protection for the NLBs, as NLB will scale rapidly in response to an attack and also drop any traffic not matching a listener. NLB targets on non-TLS listeners can be sensitive to SYN flood attacks, however an ALB target should scale in response to SYN flood. One thing to watch out for is making sure that any security groups associated with the ALB do not have security group connection tracking enabled, by ensuring that Ingress rules allow traffic from 0.0.0.0/0 and that egress rules allow traffic to 0.0.0.0/0.
Contenuto pertinente
- AWS UFFICIALEAggiornata 3 anni fa
- AWS UFFICIALEAggiornata un anno fa