HTTP API GW -> (WAF) -> ALB, cannot pick up source IP


I have an HTTP API GW that connects to a private ALB via VPC Link.

But i cannot make WAF understand the forwarded HTTP header that APIGW sets

forwarded: for=someip;host=somehost;proto=https

From what i understand WAF wants a CSV type of input in the header it reads for IP and uses the first one and the documentation states that it's usually X-Forwarded-For

Is there any way of making WAF understand the format that HTTP API GW is sending to ALB?

1 Answer

The WAF attached to the ALB which is behind API Gateway does not recognize the source IP of the client. One approach would be to front CloudFront before API Gateway and have AWS WAF on CloudFront Alternatively you could use HTTP API GW -> WAF -> NLB -> ALB. Or Switching to port base routing as opposed to path based routing and changing from ALB to NLB.

profile pictureAWS
answered a year ago
  • I tried placing a CF in front of the GW (which is the cleaner solution i agree), but for the life of me I could not make it work

    Followed several guides but i only ended up with "< x-cache: Error from cloudfront"

    Route53 -> CF -> custom domain in my HTTP API GW

    Anyone had similar issues?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions