Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

WAF with Global Accelerator

2

Hello

We have a WAF rule which disallows certain IPs (based on geography). In our original configuration, we had:

Global Accelerator --> Internet Facing ALB (w/ WAF integration) --> ECS cluster

as part of a security review, we noticed that those ALB don't need to be Internet-facing, i.e., they could be Internal-facing and on Private Subnets.

The proposed config is:

Global Accelerator --> Internal ALB --> ECS Cluster

and we have shown this works. However, we also noticed its possible to have WAF Integration with the Internal ALB.

In this use case, is the WAF rule still effective? Will it still enforce the IP restrictions (seems that would only work if GA preserved the source IP)?

Thank you!

Argomenti
Networking e distribuzione di contenutiSicurezza, identità e conformità
Tag
AWS Global AcceleratorAWS WAFEquilibratore di carico elastico
Lingua
English
rePost-User-ellicottcity
posta un anno fa1931 visualizzazioni
1 Risposta
1

The design you describe should work fine, see below statement from the documentation:

When you use an internal Application Load Balancer or an EC2 instance with Global Accelerator, the endpoint always has client IP address preservation enabled.

Reference: https://docs.aws.amazon.com/global-accelerator/latest/dg/preserve-client-ip-address.html

profile pictureAWS
ESPERTO
Tushar_J
con risposta un anno fa
profile pictureAWS
ESPERTO
Brettski-AWS
verificato un anno fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente