By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

WAF with Global Accelerator

2

Hello

We have a WAF rule which disallows certain IPs (based on geography). In our original configuration, we had:

Global Accelerator --> Internet Facing ALB (w/ WAF integration) --> ECS cluster

as part of a security review, we noticed that those ALB don't need to be Internet-facing, i.e., they could be Internal-facing and on Private Subnets.

The proposed config is:

Global Accelerator --> Internal ALB --> ECS Cluster

and we have shown this works. However, we also noticed its possible to have WAF Integration with the Internal ALB.

In this use case, is the WAF rule still effective? Will it still enforce the IP restrictions (seems that would only work if GA preserved the source IP)?

Thank you!

Topics
Networking & Content DeliverySecurity, Identity, & Compliance
Tags
AWS Global AcceleratorAWS WAFElastic Load Balancing
Language
English
rePost-User-ellicottcity
asked a year ago1901 views
1 Answer
1

The design you describe should work fine, see below statement from the documentation:

When you use an internal Application Load Balancer or an EC2 instance with Global Accelerator, the endpoint always has client IP address preservation enabled.

Reference: https://docs.aws.amazon.com/global-accelerator/latest/dg/preserve-client-ip-address.html

profile pictureAWS
EXPERT
Tushar_J
answered a year ago
profile pictureAWS
EXPERT
Brettski-AWS
reviewed a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content