Question about applying AWS Shield Advanced to the internal ALB.

0

I have an architecture with multiple internet-facing Network Load Balancers (NLBs) routing to a single internal Application Load Balancer (ALB) with Web Application Firewall (WAF), which further directs traffic to EC2 instances. (many NLBs -> one ALB(waf) -> EC2 instances) Various services are served through multiple NLBs, and the ALB routes the traffic to each EC2 instance based on the host header.

In this structure, can AWS Shield Advanced be applied to the ALB? Or should AWS Shield Advanced be applied to each NLB separately?

3 Answers
0
Accepted Answer

AWS Shield Advanced provides DDoS protection for AWS resources. When it comes to load balancers, it's important to remember where your primary entry points are for incoming internet traffic, as those are typically the points you'd want to defend against Distributed Denial of Service (DDoS) attacks.

Apply AWS Shield Advanced to each of the internet-facing NLBs. This will provide the DDoS protection at the points where your resources are directly exposed to the public internet. Furthermore, continue using AWS WAF on your ALB for protection against more sophisticated layer 7 attacks, such as SQL injection, XSS, etc. While Shield protects against DDoS attacks, WAF provides a separate layer of defense for application layer threats.

Regards, Andrii

profile picture
EXPERT
answered 7 months ago
0

It is recommended to deploy Shield Advanced to the border of your AWS network, i.e, the NLB as mentioned in the scenario. (Also check If you have additional elements like Route53 hosted zones ahead of the NLB in your traffic flow)

Network Load Balancers can be protected by first attaching the resources to Elastic IP addresses, and then protecting the Elastic IP addresses in Shield Advanced.

AWS
answered 7 months ago
0

For full protection in this situation you should apply Shield Advanced protection to each NLB (for layer 3/4 detection and mitigation at the network border) and to each ALB with a WAF WebACL for layer 7 (RequestFlood) detection and mitigation (if you have enabled Automatic Application layer protection).

Having said that, if you are cost sensitive to Shield DTO you could possibly get away with not enabling Protection for the NLBs, as NLB will scale rapidly in response to an attack and also drop any traffic not matching a listener. NLB targets on non-TLS listeners can be sensitive to SYN flood attacks, however an ALB target should scale in response to SYN flood. One thing to watch out for is making sure that any security groups associated with the ALB do not have security group connection tracking enabled, by ensuring that Ingress rules allow traffic from 0.0.0.0/0 and that egress rules allow traffic to 0.0.0.0/0.

AWS
answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions