By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Protecting On-prem Web application with WAF and Shield Advance

0

Hello Experts,

Does anyone have experience with protecting on-premises web applications using WAF and Shield Advance? The DNS has already been moved to Route 53.

What would be the best practices to consider in the design while implementing this architecture? This will be an early adoption of AWS Cloud services.

Topics
Security, Identity, & ComplianceComputeNetworking & Content Delivery
Tags
AWS WAFAWS ShieldWebsite HostingAmazon CloudFrontAmazon Route 53
Language
English
Abhi2005
asked 5 months ago549 views
3 Answers
0
Accepted Answer

Hello.

To protect your on-premises server, you need to set it up as a CloudFront origin.
If you can set up CloudFront, you can use AWS WAF and AWS Shield.
In other words, it cannot be used unless it is at least configured as a CloudFront origin.
https://aws.amazon.com/shield/faqs/?nc1=h_ls

Q. Can I use AWS Shield to protect web sites not hosted in AWS?

Yes, AWS Shield is integrated with Amazon CloudFront, which supports custom origins outside of AWS.

profile picture
EXPERT
Riku_Kobayashi
answered 5 months ago
profile picture
EXPERT
Gary Mclean
reviewed a month ago
  • Riku_Kobayashi EXPERT
    5 months ago

    I don't know the structure of your website, but I think you can reduce traffic to some extent by caching HTML, images, etc. with CloudFront.

0

Thanks, Riku, is there any best practices to consider to avoid any traffic slowness due to redirection. On-prem website will be high in traffic due to year end coming.

Abhi2005
answered 5 months ago
0

You can protect your on-prem using either CloudFront or Application Load Balancer (ALB) with AWS WAF WebACL. Accessing your on-prem via private DX VIF (via ALB) allows you to remove your on-prem completely from the 'internet', and via a public DX VIF (via CloudFront), allows you to remove it from being accessed from anywhere other than the Amazon network.

  • Pro's of using CloudFront - deliver content close to your users at the edge, provides global CDN allowing caching/compression, gold class L3/4 DDoS protection, overall scale - default limit of 250K RPS per-distribution can be increased on request. If your client base is global, CloudFront may actually improve overall performance (results would vary depending on a variety of factors). Cons - total cost of ownership (TCO) is likely to be higher than using ALB.
  • Pros of using ALB - it's cheaper. Even if you build in your own EC2-based HTTP caching tier it's possible that TCO will remain lower than CloudFront. Cons - L3/4 mitigation relies on detection however ALB will scale to absorb attack, regional WAF has a maximum of 25K RPS.
AWS
AWS-User-knoxy
answered 5 months ago
profile picture
EXPERT
Gary Mclean
reviewed a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content