Rate-based rule in AWS WAF

0

Hi everyone,

I have two publicly accessible EC2 instances: let's call them Instance A and Instance B. Instance A very frequently sends requests to instance B. And Instance B is sitting behind a Load Balancer. I am attaching a Web ACL to the Load Balancer to enhance security for instance B. My focus is on external requests.

My question is if I rate limit only the IP address, does it also affect the requests sent from instance A, not just external requests ? For example, if instance A is sending more than 100 requests within 5 minutes, the requests will be blocked.

Thank you very much.

1 Answer
0
Accepted Answer

Hello.

My question is if I rate limit only the IP address, does it also affect the requests sent from instance A, not just external requests ? For example, if instance A is sending more than 100 requests within 5 minutes, the requests will be blocked.

If no measures are taken, all IP addresses will be subject to inspection, so even if the request is from instance A, if it matches the rules, it will be blocked.

Is the IP address of Instance A a static IP address?
If your EC2 instance uses a static IP address, you should create an IP set in AWS WAF and configure it to allow connections from the EC2 instance's IP address.
https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-ipset-match.html

I think the following stackoverflow answers will be helpful.
https://stackoverflow.com/questions/74469658/how-to-exclude-certain-ip-for-aws-waf-rate-limit

profile picture
EXPERT
answered 18 days ago
profile pictureAWS
EXPERT
reviewed 18 days ago
  • Hi, Riku. Yes, instance A has a static public IP address. But some instances do not have a static IP. What should I do for those instances?

    Another related question is Does rate-based rule work the same for both public and private IPs? If requests coming from a private IP exceeds the threshold, will they get blocked? Thank you.

  • But some instances do not have a static IP. What should I do for those instances?

    If you do not have a static IP address, you can make the IP address static by attaching an Elastic IP address or by moving the EC2 instance to a private subnet and communicating via NAT Gateway.

    Another related question is Does rate-based rule work the same for both public and private IPs? If requests coming from a private IP exceeds the threshold, will they get blocked?

    I haven't tried it with a private IP address, but I suspect it might be possible. The source only needs to be a private IP address, so in this case AWS WAF needs to be attached to a private ALB. In other words, I think it can be used when you want to control communication within a VPC or from on-premises with a VPN connection. However, since rate-based rules check based on the source IP address, in the case of AWS WAF attached to a public ALB, the source IP address is always a public IP address, so restrictions using private IP addresses are not possible. https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-rate-based-aggregation-options.html

  • I set up AWS WAF on a private ALB in my AWS account and tried accessing it from EC2 in the VPC. As a result, we were able to confirm that rate-based rules work even with private IP addresses. However, as explained in the comment above, this setting can only be used in private ALBs. If it is a public ALB, it cannot be controlled using a private IP address. a

  • I see. Thanks a lot for your helpful and insightful answers. :)

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions