Protect a Web Tier in a Public Subnet

  • WAF gives you control over how traffic reaches your applications by enabling you to create security rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that filter out specific traffic patterns you define.

  • WAF is tightly integrated with CloudFront and the ALB, services that AWS customers commonly use to deliver content for their websites and applications.

  • When you use WAF on CloudFront, your rules run in all AWS Edge Locations, located around the world close to your end-users.

  • Blocked requests are stopped before they reach your web servers.

  • When you use WAF on an ALB, your rules run in region and can be used to protect internet-facing as well as internal load balancers.

  • If the web servers are hosted in public subnets behind a public-facing ALB while the application servers are hosted in private subnets, you can migrate your servers to private subnets and then remove any attached public IP or Elastic IP addresses.

  • The public-facing ALB can route the traffic to these web servers hosted in private subnets.

  • So, to protect a Web Tier in a Public Subnet:

    • Migrate the web servers to private subnets without any public IP or Elastic IP addresses.

    • Integrate WAF to the ALB to provide SQL injection or cross-site scripting attack protection to the online application.

    • Launch a new CloudFront distribution and configure it to use WAF.

PreviousTurn off Access to your Instance MetadataNextTrack changes in each user's IAM permissions

Last updated