Setting up AWS Web Application Firewall (WAF) with Elastic Beanstalk
Amazon Web Services’ (AWS) Web Application Firewall can come in handy for those of us building applications that need the extra protection against common web exploits and attacks. However, the whole setup process isn’t exactly intuitive and the AWS documentation is difficult to digest.
Hopefully, I can help simplify things.
WAF can be setup with Elastic Beanstalk in one of two ways:
- WAF can be setup with the Application Load Balancer (not available for environments provisioned in the Canada, South America and Mumbai regions at the time of this article)
- WAF can be connected to CloudFront (AWS’s CDN), which in turn can direct traffic to the Application Load Balancer.
Setting up Elastic Beanstalk with a Load Balancer
In all cases, you will need a load balancer installed with your Elastic Beanstalk (EB) environment:
To do so, when you create your EB environment, select the “High availability” option.
EB is a wrapper around EC2. Once your EB environment has been created, you should be able to see the corresponding EC2 instance in AWS’s EC2 service along with its application load balancer.
Connecting WAF to your Application Load Balancer (Not supported in all regions)
If your application sits in a one of the supported US, EU and Asia Pacific regions, you can connect WAF directly with the application load balancer. If your EB environment is in the Canada, South America and Mumbai region, Skip ahead to the “Configure WAF with CloudFront” section.
In the WAF service, click on “Configure web ACL”
Click “Next” on the “Concepts overview” screen and in “Step 1: Name web ACL”, select the region your app server is in, select “Application load balancer” as the Resource type and select your application load balancer as the AWS resource.
Note that there are an endless number of security rules you can configure with WAF. We won’t go into these here. But if you are new to web security, you can setup WAF to guard against common attacks with a CloudFormation template provided by AWS.
Configuring Application Load Balancer to work with SSL
With WAF setup, you can configure your Application Load Balancer to work with SSL. Start by accessing your load balancer properties in the Elastic Beanstalk environment.
Next add a HTTPS listener at port 443 (default SSL port) with the SSL certificate provisioned in AWS’s Certificate Manager for your domain. You will also have to add a load balancer rule that redirects requests to port 443 to an environment process (i.e. the default process).
With SSL setup, you can add an “A” DNS record via your domain name service targeting the application load balancer. If you are using AWS’s Route 53, you can select alias targeting and select the load balancer as the target.
Connecting WAF with CloudFront (for servers in unsupported regions)
Now if you are in a less fortunate region like Canada, South America or Asia Pacific Mumbai, you can still use WAF via CloudFront. Things does get a bit more complicated.
In the CloudFront service, click “Create Distribution”
Select “Web” as your delivery method. In the Create Distribution screen, pick the elastic load balancer created with your EB environment.
With your CloudFront distribution created, you can go to the WAF service and click on “Configure web ACL”
Click “Next” on the “Concepts overview” screen and in “Step 1: Name web ACL”, select “Global (CloudFront)” as the region and select your CloudFront distribution as the AWS Resource.
Configuring CloudFront to work with SSL
We can secure the web application with SSL by configuring CloudFront to work with alternate domain names and attaching an SSL certificate.
Edit the CloudFront distribution and enter your alternate domain names. Then, you will need to attach a Custom SSL certificate for the domain names. If you are using AWS’s Certificate Manager, you must provision your certificates in the N. Virginia region, otherwise, you can use a certificate stored in IAM.
Next, you will want to configure your default path pattern behaviour, so that outside HTTP requests are redirected to HTTPS.
Note that if you are setting up CloudFront to work with SSL, it is not necessary to setup HTTPS in your application load balancer, so your origin protocol policy can stay at the default HTTP.
After setting up your CloudFront distribution to work with alternate domains, you will need to add an “A” entry in your DNS record that points to the cloudfront.net distribution via your domain name service. If you are using Route 53 in AWS, you can select the Alias target for the CloudFront distribution.
