By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

in what order does the traffic hit aws components - route53, cloudfront and what are those?

0

i d like to see the chain of all aws components one can use to process incoming traffic flow. What is the order in which the components work with the traffic? For example: user-> route53->waf->cloudfront->??

the ones that i know: route53, cloudfront, waf. I'd like to see the full list of all traffic-related components, before it hits my ALB. I drawn a diagram , is this the right order of the traffic flow? this is more of a general question. kk

Topics
Security, Identity, & ComplianceNetworking & Content Delivery
Tags
AWS WAFNetworking & Content DeliveryAmazon CloudFront
Language
English
erjan
asked a year ago1489 views
2 Answers
0

When browsing to an endpoint, the first thing that happens is that DNS is resolved. So when going to www.example.com, your computer resolves the DNS name to an IP address. The DNS resolution may not come directly from Route53, but it could come from Cloudflare's DNS server or Google's, etc.

After the DNS resolution, your connection goes to CloudFront but is immediately forwarded to be evaluated in the WAF rulesets. After the traffic passes through the WAF, it evaluates various CloudFront preferences and forwards to the origin. The origin, in this case, would be an ALB.

C Mencarelli
answered a year ago
0

Hi Erjan

So, first things WAF with CloudFront.
It is more in parallel and implemented as part of the distribution. Take a look at the following security blog on how to protect using cloudfront. How to protect dynamic web applications against ddos attacks by using amazon cloudfront and amazon route 53 It explains and shows how WAF protects CloudFront Edge and Regional components.

Next lets look at how you can protect you Load Balancer
First you can also have WAF in front of ALBs. Take a look at this blog WAF for ALB that should give more context. This is useful to prevent DDoS or application attacks at the ALB level bypassing CloudFront.
You might also want to consider NACLs and Security Groups within the VPC to control traffic to the ALB and resources.
You could also implement Network Firewall, or third party firewall via a Gateway Load Balancer. for inbound protection. Take a look at this Network Blog that explains how to use if for ingress traffic.

Lastly you could take a look at AWS Shield.
This can add additional DDOS for the following services:

  • Amazon CloudFront distributions.

  • Amazon Route 53 hosted zones.

  • AWS Global Accelerator standard accelerators.

  • Amazon EC2 Elastic IP addresses. (Shield Advanced protects the resources that are associated with protected Elastic IP addresses such as NAT Gateway, EC2 Instance)

  • Elastic Load Balancing (ELB) load balancers.
    docs.aws....ddos-overview

So you end up with something that looks more like this:
Full Security

Hope this helps.

profile picture
Robin Ford
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content