# AWS WAF (Web Application Firewall)

Hello people, today we will be learning about AWS Web Application Firewall (WAF) and doing a simple demo on it.

AWS WAF defends web apps from online threats with customizable rules to filter and block malicious traffic. Integrated with CloudFront and ALB, it offers real-time monitoring through CloudWatch.

Let's get started.

---

### Overview

In this setup, we will create two subnets, each containing an EC2 instance. These instances will be fronted by an Application Load Balancer (ALB). Then we will configure AWS WAF with a simple IP set rule to restrict connection requests from our IP address.

---

### Task 1 : Creating a VPC

Search for **VPC** in the search box.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717340363489/0bbcf1be-18dd-4d27-ac02-872a9fe7d54c.png align="center")

Click on `Create VPC`.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717340485209/58c50da4-5f0f-4e30-bd75-6462f5908cb4.png align="left")

Provide a suitable name for your VPC and input a IPv4 CIDR value.

Click on `Create VPC` with all other configurations left as default.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717392621763/856014f1-dcbf-4e34-9166-ec541ecdfc84.png align="center")

---

### Task 2: Creating Internet Gateway

On **Internet gateways**, click on `Create internet gateway`.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717340592306/5e74fcbd-44eb-42bf-b041-6563ca4ac128.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717340660531/e7259ec9-9bd8-431b-9f7c-04019bad7ac6.png align="center")

Provide name for your Internet gateway & click on `Create internet gateway`.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717340721300/cfe2fc71-3bfd-4cc7-a0df-2a15555e2c80.png align="center")

Click on Attach to a VPC and select your VPC and click on `Attach internet gateway`.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717392689235/a5088e1f-fcff-4a0d-b7f4-78edfd458fc3.png align="center")

---

### Task 3: Creating Subnets

On **Subnets**, click on `Create subnet`.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717340831765/3972b1dc-75cc-4d18-81d7-71472e1dccc1.png align="center")

Select your VPC.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717340911828/a54c40c1-2cb3-4b1d-aa60-99c90526d27a.png align="left")

Provide a suitable name for your subnet and an eligible CIDR range.

Click on `Add new subnet`.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717340989913/551a1734-3394-440c-b6e6-c2f9e0af4e31.png align="left")

Provide name for your second subnet and provide an eligible CIDR range value.

Click on `Create subnet`.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717392864202/a6793ab5-2a14-4664-8df3-4dc1e62bcda6.png align="center")

---

### Task 4: Creating Route tables

On **Route tables**, click on `Create route table`.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717341095122/21db1d29-3af1-472b-b7ee-c334574569b2.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717341154142/d7ccdb8b-8cbb-4150-9ac2-373811cfff70.png align="center")

Provide the name for your Route table and select your VPC.

Click on `Create route table`.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717341204614/e2a195a2-3111-4ccd-8e3a-fd4ea4491991.png align="center")

Now, in **Subnet associations**, click on `Edit subnet associations` to associate subnets with this route table.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717341260434/cb130098-40bf-4524-8c80-8a403e896cd5.png align="center")

Select both of your subnets and click on `Save associations`.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717341291526/27b34238-03d4-4aa9-9a74-0a125b46d4f7.png align="center")

Now, on **Routes**, click on `Edit routes` to add route in our route table.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717341351554/5488c845-93b0-4182-b00a-c84610578f96.png align="center")

Configure the above configurations and select your internet gateway.

Click on `Save changes`.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717392931358/0870f262-6ad1-43ef-a418-c5142861822a.png align="center")

---

### Task 5: Creating EC2 instances

Search for **EC2** in the search box.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717341484588/be7181a7-8b72-4be6-81cd-eefb921b40fc.png align="center")

Click on `Launch instances`.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717341534038/43bee6ab-1292-4a65-abe3-97a33e1a451b.png align="center")

Provide name for your instance. Choose an AMI. I have picked Ubuntu as my AMI.

Select free-tier instance if possible and create either a new or use an existing key pair.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717341722337/244080b4-ad7d-4a51-8833-a6147662fb00.png align="left")

Edit Network settings.

Select your VPC, select one of your subnets and `Enable` the Auto-assign public IP.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717341807199/bd3c3dea-a3cf-45dc-b265-43bae0f5dcd6.png align="left")

We have a default security group configured with SSH access.

Click on `Add security group rule`.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717341886160/5bf74a2f-fdc0-4492-a363-8008efbe3ec0.png align="left")

Configure the above configurations.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717341953244/67c205a7-9b7c-46e6-b78a-bf4e6eb9c1ac.png align="left")

Click on `Advanced details`.

Scroll down to **User data** section and paste the following code.

```bash
#!/bin/bash
yes | sudo apt update
yes | sudo apt install apache2
echo "<h1>Hello from the first server</h1>" > /var/www/html/index.html
sudo systemctl restart apache2
```

<details data-node-type="hn-details-summary"><summary>Code Explained</summary><div data-type="detailsContent">This script sets up the Apache web server and serves a simple HTML page with the message "Hello from the first server".</div></details>

Click on `Launch instance`.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717342187328/ad50e3e0-cc25-4646-90ea-309f1025a3ac.png align="left")

Copy the **Public IPv4 address** of your instance and paste into your browser.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717342314658/ac484930-df55-48dd-9adb-b1f6702bbaae.png align="left")

Set up another instance in a different subnet. Follow the same steps as before, but this time, make a slight change in the user data. Everything else can remain the same.

```bash
#!/bin/bash
yes | sudo apt update
yes | sudo apt install apache2
echo "<h1>Hello from the second server</h1>" > /var/www/html/index.html
sudo systemctl restart apache2
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717342634337/a6dbbb4f-8b97-4d10-9e98-ec76dff2df67.png align="left")

We have set up our second instance as well.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717393053959/bee8d363-7097-4c05-a13d-1c62b911a671.png align="center")

---

### Task 6: Creating Target groups

On **Target groups**, click on `Create target group`.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717342687838/5ac21df0-5b49-4faa-a51f-bbb35f5fdf43.png align="center")

Provide name for your target group, select your VPC while keeping all other settings as default.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717342837266/4838c5d7-5128-43fb-bde8-cc12ef9f6137.png align="left")

Select both of your instances and click on `Include as pending below`.

Click on `Create target group`.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717393318974/7cc62faa-5c29-43c9-bd17-1ecfe8014554.png align="center")

---

### Task 7: Creating Load Balancer

On **Load Balancers**, click on `Create load balancer`.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717342940466/ca22a47b-c13b-4a0c-9c70-516a8669cafa.png align="left")

Choose **ALB** as load balancer.

Provide a suitable name for your load balancer.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717343144617/6a3ba7be-90dd-4be6-a982-f2afd91b4cb4.png align="center")

Select your VPC and also tick all of your subnets.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717343176263/bbe8bd6f-68bc-4028-8425-122fd98d1eeb.png align="center")

On Security groups, click on **create a new security group**.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717343238588/8e1fba18-ce1a-47d6-814f-5c4cbd0514cd.png align="left")

Provide a suitable name for your security group and select your VPC.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717343373042/55236187-5f73-4d3d-9a68-6dc8daf82b14.png align="center")

In **Inbound rules**, configure the above configurations.

Click on `Create security group`.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717343493501/5b2ccd30-0ba8-4490-8ccb-0d7788dc2cc9.png align="center")

Return to your ALB setup page and refresh the Security groups.

Select your security group.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717343573526/052b5e29-d7cd-433e-87fc-8b49a0078ca6.png align="left")

Select your target group & click on `Create load balancer`.

It takes a while to provision.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717343886399/388c3a5d-b833-44a3-8eaf-f9eef72ee5ed.png align="center")

When the load balancer is ready, copy the DNS name and paste into your browser.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717343938147/57f16f1e-fab1-488b-b8de-ce8d270a204e.png align="center")

You can refresh the page to see the load balancer distributing traffic to another server.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717393499838/62de59e0-2cb9-4313-bfb0-7192276dc6c3.png align="center")

---

### Task 8: Setting up AWS WAF

Search for **waf** on the search box and select `WAF & Shield`.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717374088679/56218a74-6e9a-439c-85f4-b3611581ec5d.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717376071693/07d67ba4-1400-469b-bff4-c86f56ac85a2.png align="center")

On the WAF & Shield Dashboard, on **IP sets**, click on `Create IP set`.

IP sets in AWS WAF are collections of IP addresses or IP address ranges that you can use to specify which IPs should be allowed or blocked. By creating an IP set, you can easily manage a list of trusted or suspicious IP addresses and reference this list in your Web ACL rules.

Let's restrict access to our instances by blocking our IP address.

To get your IP address: [find your ip address here](https://whatismyipaddress.com/)

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717376343352/14ab8743-78ae-4288-8970-c830885b4be8.png align="left")

Make sure to provide `/32` at the end of your IP address to restrict access to only that specific address on the Internet.

Click on `Create IP set`.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717377189414/57230bd8-13ab-4a7b-acab-10386bc7c966.png align="left")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717377244704/8eb735dc-70d8-48be-836b-73ce28273565.png align="left")

Now on **Web ACLs**, click on `Create web ACL`.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717374360032/145ce558-1da0-44f3-a5b4-8e332ab5b984.png align="left")

When setting up a Web ACL, you need to choose the resource type it will protect. There are two main categories:

1. **Amazon CloudFront distributions**: These are globally distributed networks that deliver content with low latency.
    
2. **Regional resources**: These include services which operate within specific AWS regions.
    

Selecting the resource type determines how the Web ACL rules will be applied to manage and control access.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717374540411/74f51f87-56c4-4670-b2e4-3c1c72dc8329.png align="left")

Provide name for your WAF.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717374565393/ef48c189-411e-4441-ae67-75b3a64d3a9e.png align="left")

Click on `Add AWS resources`.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717374652611/cb1eb4c8-a76e-4eb6-b0dc-4ba4a9d47d2c.png align="left")

Select your Application Load Balancer and click on `Add`.

Click on `Next`.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717377342192/525b9e30-60f1-4382-9d53-3e4705c07d73.png align="center")

In Add rules panel, there are two modes:

1. **Managed Rule Groups**: These are pre-configured sets of rules created by AWS or AWS Marketplace sellers.
    
2. **Add My Own Rules & Groups**: This option allows you to create custom rules based on your specific needs.
    

Click on `Add my own rules and rule groups`.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717377683010/b8929c19-49f4-47cd-a43e-db0b7d85cf7f.png align="left")

There are different **Rule type** to choose from. As have already talked about IP set, let's explore the remaining.

* **Rule builder:** A tool to create custom rules that specify conditions for allowing or blocking web requests.
    
* **Rule group:** A collection of rules managed together, which can be custom-made or provided by AWS/third parties, simplifying rule management for web applications.
    

For now, we are sticking to IP set.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717378072963/5a1e160d-0189-4f09-b735-ffbc1abca23a.png align="left")

Name your Rule and select your IP set.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717378299873/a4398730-6498-48f4-bf6f-5c9576c20ece.png align="left")

When requests come through a CDN or proxy, the source IP is the proxy's, and the original IP is in a header. Using "**IP address in header"** can be risky because headers can be altered or handled inconsistently by proxies. Choose between using the source IP or the IP in the header to identify the original address.

The purpose is to accurately identify the original source IP address of a request that passes through a CDN or proxy. This helps in applying correct security rules and logging the true origin of the traffic, rather than just the intermediary proxy's IP address. However, caution is needed as headers can be manipulated.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717379180632/7dbd2beb-7739-496d-a7af-eaca251fa694.png align="left")

We can specify the action to take when a request originates from an IP address in a defined IP set. For now, let's stick to Block.

Click on `Add rule`.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717380002541/6565fd55-4a42-4c96-8995-701f5ad39c25.png align="center")

AWS WAF evaluates the rules and rule groups in the order shown, starting from the top. We can move rules up or down to change the evaluation order.

The **order of evaluation affects the behavior of the web ACL**. For example, suppose a web request matches a rule that allows requests and matches another rule that counts requests. If you list the rule that allows requests before the rule that counts requests, AWS WAF will allow the request and won’t count it.

As we do not have multiple rules for now, click on `Next`.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717379949846/23647b35-e024-4a62-8c94-404baee464b1.png align="left")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717380298607/7e266c4b-4633-4a91-be09-9d4c0f1677a6.png align="center")

Click on `Next`.

Review your Web ACL and click on `Create web ACL`.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717380434468/ed1c8b50-f78f-4df9-b34d-701ce27df771.png align="center")

We have created our Web ACL.

Now search for **load balancer** in the Search box.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717381203713/f1614128-bab6-4eeb-9373-4f320498006c.png align="center")

Select your load balancer & copy the DNS name. Paste it into your browser.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717381259728/b311b95b-e9dd-4d28-8082-2a9eb0cd9296.png align="left")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717394156643/00b39f10-3e04-4137-8581-3a7f15089830.png align="center")

---

### Task 9: Exploring WAF

We are currently unable to process the request because the WAF is configured to block it. Try reloading the page a few times to see the effect later.

Search for **WAF** in the search box and select WAF & Shield.

On **Web ACLs**, select your Web ACLs.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717381427009/94d286be-65ae-44db-861a-37f24c5f8276.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717382011384/e00a123c-6471-4d1e-86b0-bfefdf884d1a.png align="center")

We can explore different aspects here. Let's look at the Traffic Overview.

This section provides insights on various details.

Next, head over to the Sampled Requests section.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717382306436/84e69940-1e30-4b93-be70-9f969b3da139.png align="center")

We can see the sampled requests here.

Alright, let's delete the rule that we had set up.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717382392974/a7906e29-f4b8-41d2-b33f-03d4f020ee26.png align="center")

On **Associated AWS resources** section, select your associated resources and click on `Disassociate`.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717382456803/7bd13af1-6da4-4e3a-8681-3ba78180bbad.png align="left")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717382482459/8f98cef5-5f65-4c99-8bfd-a5f4c3fe87f6.png align="center")

On **Web ACLs**, select your Web ACL and click on `Delete`.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717382967825/0bee544e-b7d6-4f54-828e-63449b89807d.png align="center")

On **IP sets**, select your IP set and click on `Delete`.

Now, let's head up to our load balancer, copy the DNS name, and paste it into our browser to check if the restriction is still in place.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717382604862/2587d12e-0d21-4c74-ab66-263865bc86ec.png align="center")

We can see that our request is no longer blocked.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717394220616/d91abb4b-bd23-4a13-94b3-a6664039e101.png align="center")

Try refreshing the page to see if the load balancer distributes the traffic to different servers.

---

### Conclusion

Today, we used a technique to protect our resources using AWS WAF by blocking our own IP address using an IP set. This was a simple demonstration. There are many more powerful techniques available with AWS WAF to block web exploits, but that's for another project.

---

### Task 10: Clean Up

1. **Deleting load balancer.**
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717383107967/979f5ef1-529c-46cc-89f0-fe3bd3fd3893.png align="center")
    
    Select your load balancer and in the **Actions panel**, click on `Delete load balancer`.
    
2. **Deleting Target Group.**
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717383185328/4eccfb4e-98ae-466f-9123-6e732f7fc0da.png align="center")
    
    Select your target group and in the **Actions** panel, click on `Delete`.
    
3. **Terminating EC2 instance.**
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717383428940/6edbea8c-502c-444c-9249-6e0829721220.png align="center")
    
    Select both of your instances, In **Instance state** panel, click on `Terminate instance`.
    
4. **Deleting Subnets.**
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717383267137/02b7f656-b576-4cd4-8a29-b43f38fe9eb3.png align="center")
    
    Search for **VPC** in the search box. On **Subnets**, select both of your subnets and in the **Actions**, panel, click on `Delete subnet`. If you can't delete, wait for some time, refresh the box and try again.
    
5. **Deleting Route table.**
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717384476298/0f25d876-4cfd-4d88-a959-6ba5b92beaa0.png align="left")
    
    Select your Route table and in the **Actions** panel, click on `Delete route table`.
    
6. **Deleting VPC.**
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1717384541026/ac96afb8-c802-430e-ac49-d522080829cf.png align="center")
    
    Select your VPC and in the **Actions** panel, click on `Delete VPC`.
    

We've cleaned up our used resources.

---

Alright, see you guys in the next one!
