Integrating Lightsail with WAF: Target Group doesn't allow Lightsail IPs to be entered
In this blog from September 2023, AWS describes the process of integrating Lightsail webservers with AWS WAF, using Application Load Balancers: https://aws.amazon.com/blogs/compute/integrating-aws-waf-with-your-amazon-lightsail-instance/
Step 5 in the part for doing this via an Application Load Balancer does not work. I have VPC peering enabled for the region, I can see it is working correctly in the VPC console, but attempting to add the private IP of the Lightsail instance to the target group results in this error: "IP address must belong to an existing subnet."
I can see the problem - the VPC has a different CIDR to the internal Lightsail VPC, which is why the VPC peering is needed to connect Lightsail resources to other AWS resources in the first place. What I don't know is how to add a Lightsail IP to the target group given that it refuses to accept anything from outside the default VPC, regardless of peering.
- Newest
- Most votes
- Most comments
In the Register targets page in Step 5, make sure that you select Other private IP address in the Network drop down. By default, the existing VPC in the account is selected, which the Lightsail instance private IP address is not a part of. Once you change it to Other private IP address, you should be able to add the private IP address of the Lightsail instance to the target group.
Set up a NAT instance or gateway in your VPC that can route traffic from the ALB to your Lightsail instance. This requires careful configuration of routing tables and security groups.
or
Set up a reverse proxy (like Nginx or Apache) in your VPC that forwards requests to the Lightsail instance. The reverse proxy would be added to the ALB target group instead of the Lightsail instance directly.
A NAT gateway adds a lot of additional cost here, and unless I'm mistaken the latter option wouldn't work with multiple Lightsail servers (how is the ALB going to tell the proxy which Lightsail server to go to? The proxy itself would have to be doing the load balancing, unless you mean one proxy server per lightsail instance)
Either way, it's odd that the documentation is lacking here, given it's only from September this year. It seems like complete overkill to have to go to this many steps for WAF integration.
I did some research, and found an alternative way to do this, after some investigation.
Target groups in EC2 can't have Lightsail instances in them - but you can make a CloudFront Distribution, set a Lightsail Load Balancer as its origin, and use WAF on that distribution instead. A bit unwieldy, but it seems to work. The Lightsail load balancer needs to have the domain name of the CDN distribution included in its SSL/TLS certificate.
Relevant content
- asked a year ago
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
Ahh.. somehow I had thought that box was only to select VPCs and didn't notice that (evidently I didn't have enough coffee). Thanks for pointing this out!