- Newest
- Most votes
- Most comments
This solution is specific to traffic which is consuming the CloudFront distribution and ALB configured as origin which is integrated with WAF seems that's the case in your design.
In CloudFront configuration you need to add the custom header for example X-Forwarded-For header with value (IP address) 1.1.1.1, this configuration will inject X-Forwarded-For = 1.1.1.1 in all the packets traversing over CF towards origin.
Now you can configure rate-based policy on the WAF. Set a rate threshold to inspect the Client IP Address in the "X-Forwarded-For" HTTP header in the request forwarded from CloudFront to Origin ALB. The Rate Based Rule will use the first IP address in the header "X-Forwarded-For" to decide the Rate Threshold breach per Client IP Address.
For more information on configuring Rate Limiting based on XFF header please refer the documentation:
https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-rate-based.html
For e.g:
Rate Threshold: 10000 Requests/5 mins
Aggregate Key: IP address in header
Header field name: X-Forwarded-For
Fallback for missing IP address: MATCH
Action: BLOCK
Thanks
Relevant content
- asked a year ago
- asked 2 years ago
- asked 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a month ago
- AWS OFFICIALUpdated a year ago