Setting up a WAF is your own responsibility, and if you are not confident in your ability to self-set up a WAF given the risks involved, I recommend an approach where you enlist the help of a vendor. What I will set up in this article is not always correct for every case and depends on the product you are setting up. WAF is a significant service that governs security. In this article, I will guide you through the process of building a WAF with AWS Managed Rules via Terraform. So far, I have been using professional security vendor-managed rules, but this time I deployed it using the rulesets provided by AWS(AWS Managed Rules), which I found easy to use and very convenient. In that case we would want some kind of "centralized" option where one EC2 instance could act as "master", keeping all the EC2 instances in-sync WRT any IPTables blocks that may be issued.I recently set up AWS WAF v2 and then found it to be a very useful service. So - what are some of the best options for adding DDOS protection to a NLB-fronted EC2 cluster? Ideally the protection would come into place at / above the NLB itself, but if needed we could handle this in software at the EC2 level. It would be possible to move to multiple ALBs with SAN certs to cover all our domains, but the complexity of that setup seems to outweigh the benefits for our use case. Ideally we would put our entire setup behind WAF, but WAF is not NLB compatible and we are unable to use an ALB due to the number of certificates we have to maintain. This setup works very well for us, but the one downside is a lack of DDOS protection for the EC2 instances. The certificates (and associated NGINX conf files) are distributed to each EC2 instance, and are synchronized when new instances are added to the NLB-fronted cluster during scaling. Our company makes use of a NLB that fronts a series of EC2 instances so we can serve many thousands of websites, each with their own unique SSL certificate.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |