- 最新
- 最多得票
- 最多評論
AWS Shield Advanced provides DDoS protection for AWS resources. When it comes to load balancers, it's important to remember where your primary entry points are for incoming internet traffic, as those are typically the points you'd want to defend against Distributed Denial of Service (DDoS) attacks.
Apply AWS Shield Advanced to each of the internet-facing NLBs. This will provide the DDoS protection at the points where your resources are directly exposed to the public internet. Furthermore, continue using AWS WAF on your ALB for protection against more sophisticated layer 7 attacks, such as SQL injection, XSS, etc. While Shield protects against DDoS attacks, WAF provides a separate layer of defense for application layer threats.
Regards, Andrii
It is recommended to deploy Shield Advanced to the border of your AWS network, i.e, the NLB as mentioned in the scenario. (Also check If you have additional elements like Route53 hosted zones ahead of the NLB in your traffic flow)
Network Load Balancers can be protected by first attaching the resources to Elastic IP addresses, and then protecting the Elastic IP addresses in Shield Advanced.
For full protection in this situation you should apply Shield Advanced protection to each NLB (for layer 3/4 detection and mitigation at the network border) and to each ALB with a WAF WebACL for layer 7 (RequestFlood) detection and mitigation (if you have enabled Automatic Application layer protection).
Having said that, if you are cost sensitive to Shield DTO you could possibly get away with not enabling Protection for the NLBs, as NLB will scale rapidly in response to an attack and also drop any traffic not matching a listener. NLB targets on non-TLS listeners can be sensitive to SYN flood attacks, however an ALB target should scale in response to SYN flood. One thing to watch out for is making sure that any security groups associated with the ALB do not have security group connection tracking enabled, by ensuring that Ingress rules allow traffic from 0.0.0.0/0 and that egress rules allow traffic to 0.0.0.0/0.
相關內容
- AWS 官方已更新 2 年前
- AWS 官方已更新 2 年前