Load balancing an application is a common approach to distributing traffic among multiple servers. It has a breadth of benefits that can optimize performance, including availability and responsiveness, as it spreads the workload from one server to another, preventing server overload.

AWS has a wide variety of load balancer types. But one of the most commonly used for web servers is the Application Load Balancer (ALB), as it functions at the application layer, the seventh layer of the Open Systems Interconnection (OSI) model.

After setting up an ALB, it is also essential to consider security as it’s one of the AWS 6 pillars of a well-architected framework. As a rule of thumb, applications in the cloud must not be exposed to the public internet unless intended for public use. Thus, the concept of whitelisting.

Whitelisting is a cybersecurity strategy to define a set of IP addresses that will be allowed to access the applications while denying others. In ALB, restricting access can be done thru a security group. But what if someone accidentally misconfigured the security group and unintentionally opened it to the public internet? Having an extra layer of security can be beneficial and can be done by leveraging the direct integration of ALB to the AWS Web Application Firewall (WAF).

So for this article, we will create a custom AWS WAF rule for an ALB-supported application that blocks access when the IP is not in the list of allowed public IP addresses.

SUMMARY:

1. Create an IP set that will hold all allowed public IPs to access the ALB

2. Provision of the WebACL that will contain the custom rule that blocks all IPs outside the IP set

3. Associate the WebACL to the target ALB thru direct integration

4. Test if the solution is working

STEPS:

Creating IP Set that will contain all allowed IP Addresses

1. Go to WAF & Shield

2. Click IP sets

3. Choose the region where the ALB is located (i.e., Singapore) > Create IP set.

4. Enter desired IP set name (i.e WhitelistedIPs) > Choose region where ALB is located (i.e. Singapore) > Enter the allowed public IPs > Create IP set

Provisioning the Custom WebACL rule that will only allow IPs contained in the previously created IP Set

1. Still in WAF & Shield > Click Web ACLs

2. Choose the region where the ALB is located (i.e., Singapore) > Create web ACL

3. Enter Name (i.e. WhitelistCustomRule) > Input desired CloudWatch metric name (WhitelistCustomRule) > Choose Regional resources > Click Next

4. Click Add rules > Add my own rules and rule groups.

5. Choose Rule builder > Enter desired Name for the rule (i.e. whitelist-ip-set) > In Type, choose Regular rule > Scroll down

6. Choose If a request doesn’t match the statement (NOT) > Under Inspect, choose Originates from an IP address in > Choose the previously created IP set (i.e., WhitelistedIPs) that contains the allowed public IPs > Source IP address > In Action, choose Block > Add rule.

7. Click Next

8. Under Set rule priority, click Next.

9. Click Next

10. Under Review and create web ACL, scroll down and click Create web ACL

Associating the Custom WebACL rule in the Application Load Balancer

1. Still in WAF & Shield > Web ACLs > Click the previously created WebACL

2. Choose Associated AWS resources > Add AWS resources.

3. Click Application Load Balancer > Choose the target ALB name (make sure that the WebACL and ALB reside in the same region) > Click Add to finish associating the ALB.

Testing if the whitelisting works

1. The traffic is allowed when the IP is within the IP set (i.e., WhitelistedIPs).

2. But the traffic is denied when the IP is not in the IP set (i.e., WhitelistedIPs).

3. Even though the security group is exposed to the public internet, traffic is still being denied since WAF provides extra protection.

Defined in the design principles is to apply security at all layers. With this approach, the target Application Load Balancer (ALB) will have two layers of protection that restricts traffic so that despite one defense mechanism being misconfigured, there is an extra shield.