WAF with Global Accelerator

Question

Hello

We have a WAF rule which disallows certain IPs (based on geography).  In our original configuration, we had:

**Global Accelerator --> Internet Facing ALB (w/ WAF integration) --> ECS cluster**

as part of a security review, we noticed that those ALB don't need to be Internet-facing, i.e., they could be Internal-facing and on Private Subnets.

The proposed config is:

**Global Accelerator --> Internal ALB --> ECS Cluster**

and we have shown this works.  However, we also noticed *its possible to have WAF Integration with the Internal ALB.*

In this use case, is the WAF rule still effective?  Will it still enforce the IP restrictions (seems that would only work if GA preserved the source IP)?

Thank you!

Answer

The design you describe should work fine, see below statement from the documentation:

*********************

When you use an internal Application Load Balancer or an EC2 instance with Global Accelerator, the endpoint **always** has client IP address preservation enabled.

Reference: https://docs.aws.amazon.com/global-accelerator/latest/dg/preserve-client-ip-address.html

WAF with Global Accelerator

관련 콘텐츠