AWS WAF (Web Application Firewall)

AWS WAF (Web Application Firewall)

·

9 min read

Hello people, today we will be learning about AWS Web Application Firewall (WAF) and doing a simple demo on it.

AWS WAF defends web apps from online threats with customizable rules to filter and block malicious traffic. Integrated with CloudFront and ALB, it offers real-time monitoring through CloudWatch.

Let's get started.


Overview

In this setup, we will create two subnets, each containing an EC2 instance. These instances will be fronted by an Application Load Balancer (ALB). Then we will configure AWS WAF with a simple IP set rule to restrict connection requests from our IP address.


Task 1 : Creating a VPC

Search for VPC in the search box.

Click on Create VPC.

Provide a suitable name for your VPC and input a IPv4 CIDR value.

Click on Create VPC with all other configurations left as default.


Task 2: Creating Internet Gateway

On Internet gateways, click on Create internet gateway.

Provide name for your Internet gateway & click on Create internet gateway.

Click on Attach to a VPC and select your VPC and click on Attach internet gateway.


Task 3: Creating Subnets

On Subnets, click on Create subnet.

Select your VPC.

Provide a suitable name for your subnet and an eligible CIDR range.

Click on Add new subnet.

Provide name for your second subnet and provide an eligible CIDR range value.

Click on Create subnet.


Task 4: Creating Route tables

On Route tables, click on Create route table.

Provide the name for your Route table and select your VPC.

Click on Create route table.

Now, in Subnet associations, click on Edit subnet associations to associate subnets with this route table.

Select both of your subnets and click on Save associations.

Now, on Routes, click on Edit routes to add route in our route table.

Configure the above configurations and select your internet gateway.

Click on Save changes.


Task 5: Creating EC2 instances

Search for EC2 in the search box.

Click on Launch instances.

Provide name for your instance. Choose an AMI. I have picked Ubuntu as my AMI.

Select free-tier instance if possible and create either a new or use an existing key pair.

Edit Network settings.

Select your VPC, select one of your subnets and Enable the Auto-assign public IP.

We have a default security group configured with SSH access.

Click on Add security group rule.

Configure the above configurations.

Click on Advanced details.

Scroll down to User data section and paste the following code.

#!/bin/bash
yes | sudo apt update
yes | sudo apt install apache2
echo "<h1>Hello from the first server</h1>" > /var/www/html/index.html
sudo systemctl restart apache2
Code Explained
This script sets up the Apache web server and serves a simple HTML page with the message "Hello from the first server".

Click on Launch instance.

Copy the Public IPv4 address of your instance and paste into your browser.

Set up another instance in a different subnet. Follow the same steps as before, but this time, make a slight change in the user data. Everything else can remain the same.

#!/bin/bash
yes | sudo apt update
yes | sudo apt install apache2
echo "<h1>Hello from the second server</h1>" > /var/www/html/index.html
sudo systemctl restart apache2

We have set up our second instance as well.


Task 6: Creating Target groups

On Target groups, click on Create target group.

Provide name for your target group, select your VPC while keeping all other settings as default.

Select both of your instances and click on Include as pending below.

Click on Create target group.


Task 7: Creating Load Balancer

On Load Balancers, click on Create load balancer.

Choose ALB as load balancer.

Provide a suitable name for your load balancer.

Select your VPC and also tick all of your subnets.

On Security groups, click on create a new security group.

Provide a suitable name for your security group and select your VPC.

In Inbound rules, configure the above configurations.

Click on Create security group.

Return to your ALB setup page and refresh the Security groups.

Select your security group.

Select your target group & click on Create load balancer.

It takes a while to provision.

When the load balancer is ready, copy the DNS name and paste into your browser.

You can refresh the page to see the load balancer distributing traffic to another server.


Task 8: Setting up AWS WAF

Search for waf on the search box and select WAF & Shield.

On the WAF & Shield Dashboard, on IP sets, click on Create IP set.

IP sets in AWS WAF are collections of IP addresses or IP address ranges that you can use to specify which IPs should be allowed or blocked. By creating an IP set, you can easily manage a list of trusted or suspicious IP addresses and reference this list in your Web ACL rules.

Let's restrict access to our instances by blocking our IP address.

To get your IP address: find your ip address here

Make sure to provide /32 at the end of your IP address to restrict access to only that specific address on the Internet.

Click on Create IP set.

Now on Web ACLs, click on Create web ACL.

When setting up a Web ACL, you need to choose the resource type it will protect. There are two main categories:

  1. Amazon CloudFront distributions: These are globally distributed networks that deliver content with low latency.

  2. Regional resources: These include services which operate within specific AWS regions.

Selecting the resource type determines how the Web ACL rules will be applied to manage and control access.

Provide name for your WAF.

Click on Add AWS resources.

Select your Application Load Balancer and click on Add.

Click on Next.

In Add rules panel, there are two modes:

  1. Managed Rule Groups: These are pre-configured sets of rules created by AWS or AWS Marketplace sellers.

  2. Add My Own Rules & Groups: This option allows you to create custom rules based on your specific needs.

Click on Add my own rules and rule groups.

There are different Rule type to choose from. As have already talked about IP set, let's explore the remaining.

  • Rule builder: A tool to create custom rules that specify conditions for allowing or blocking web requests.

  • Rule group: A collection of rules managed together, which can be custom-made or provided by AWS/third parties, simplifying rule management for web applications.

For now, we are sticking to IP set.

Name your Rule and select your IP set.

When requests come through a CDN or proxy, the source IP is the proxy's, and the original IP is in a header. Using "IP address in header" can be risky because headers can be altered or handled inconsistently by proxies. Choose between using the source IP or the IP in the header to identify the original address.

The purpose is to accurately identify the original source IP address of a request that passes through a CDN or proxy. This helps in applying correct security rules and logging the true origin of the traffic, rather than just the intermediary proxy's IP address. However, caution is needed as headers can be manipulated.

We can specify the action to take when a request originates from an IP address in a defined IP set. For now, let's stick to Block.

Click on Add rule.

AWS WAF evaluates the rules and rule groups in the order shown, starting from the top. We can move rules up or down to change the evaluation order.

The order of evaluation affects the behavior of the web ACL. For example, suppose a web request matches a rule that allows requests and matches another rule that counts requests. If you list the rule that allows requests before the rule that counts requests, AWS WAF will allow the request and won’t count it.

As we do not have multiple rules for now, click on Next.

Click on Next.

Review your Web ACL and click on Create web ACL.

We have created our Web ACL.

Now search for load balancer in the Search box.

Select your load balancer & copy the DNS name. Paste it into your browser.


Task 9: Exploring WAF

We are currently unable to process the request because the WAF is configured to block it. Try reloading the page a few times to see the effect later.

Search for WAF in the search box and select WAF & Shield.

On Web ACLs, select your Web ACLs.

We can explore different aspects here. Let's look at the Traffic Overview.

This section provides insights on various details.

Next, head over to the Sampled Requests section.

We can see the sampled requests here.

Alright, let's delete the rule that we had set up.

On Associated AWS resources section, select your associated resources and click on Disassociate.

On Web ACLs, select your Web ACL and click on Delete.

On IP sets, select your IP set and click on Delete.

Now, let's head up to our load balancer, copy the DNS name, and paste it into our browser to check if the restriction is still in place.

We can see that our request is no longer blocked.

Try refreshing the page to see if the load balancer distributes the traffic to different servers.


Conclusion

Today, we used a technique to protect our resources using AWS WAF by blocking our own IP address using an IP set. This was a simple demonstration. There are many more powerful techniques available with AWS WAF to block web exploits, but that's for another project.


Task 10: Clean Up

  1. Deleting load balancer.

    Select your load balancer and in the Actions panel, click on Delete load balancer.

  2. Deleting Target Group.

    Select your target group and in the Actions panel, click on Delete.

  3. Terminating EC2 instance.

    Select both of your instances, In Instance state panel, click on Terminate instance.

  4. Deleting Subnets.

    Search for VPC in the search box. On Subnets, select both of your subnets and in the Actions, panel, click on Delete subnet. If you can't delete, wait for some time, refresh the box and try again.

  5. Deleting Route table.

    Select your Route table and in the Actions panel, click on Delete route table.

  6. Deleting VPC.

    Select your VPC and in the Actions panel, click on Delete VPC.

We've cleaned up our used resources.


Alright, see you guys in the next one!

Did you find this article valuable?

Support AWS X SUJAN by becoming a sponsor. Any amount is appreciated!