Ends in
00
days
00
hrs
00
mins
00
secs
ENROLL NOW

🎁 Get 20% Off - Christmas Big Sale on All Practice Exams, Video Courses, and eBooks!

Whitelisting Access to Application Load Balancer Through The Use of AWS WAF

Home » BLOG » Whitelisting Access to Application Load Balancer Through The Use of AWS WAF

Whitelisting Access to Application Load Balancer Through The Use of AWS WAF

Last updated on May 26, 2023

Load balancing an application is a common approach to distributing traffic among multiple servers. It has a breadth of benefits that can optimize performance, including availability and responsiveness, as it spreads the workload from one server to another, preventing server overload.

AWS has a wide variety of load balancer types. But one of the most commonly used for web servers is the Application Load Balancer (ALB), as it functions at the application layer, the seventh layer of the Open Systems Interconnection (OSI) model.

After setting up an ALB, it is also essential to consider security as it’s one of the AWS 6 pillars of a well-architected framework. As a rule of thumb, applications in the cloud must not be exposed to the public internet unless intended for public use. Thus, the concept of whitelisting.

Whitelisting is a cybersecurity strategy to define a set of IP addresses that will be allowed to access the applications while denying others. In ALB, restricting access can be done thru a security group. But what if someone accidentally misconfigured the security group and unintentionally opened it to the public internet? Having an extra layer of security can be beneficial and can be done by leveraging the direct integration of ALB to the AWS Web Application Firewall (WAF).

So for this article, we will create a custom AWS WAF rule for an ALB-supported application that blocks access when the IP is not in the list of allowed public IP addresses.

Tutorials dojo strip

SUMMARY:

  1. Create an IP set that will hold all allowed public IPs to access the ALB

  2. Provision of the WebACL that will contain the custom rule that blocks all IPs outside the IP set

  3. Associate the WebACL to the target ALB thru direct integration

  4. Test if the solution is working

 

 

STEPS:

Creating IP Set that will contain all allowed IP Addresses

1. Go to WAF & Shield

2. Click IP sets

3. Choose the region where the ALB is located (i.e., Singapore) > Create IP set.

4. Enter desired IP set name (i.e WhitelistedIPs) > Choose region where ALB is located (i.e. Singapore) > Enter the allowed public IPs > Create IP set

 

 

Provisioning the Custom WebACL rule that will only allow IPs contained in the previously created IP Set

1. Still in WAF & Shield > Click Web ACLs

2. Choose the region where the ALB is located (i.e., Singapore) > Create web ACL

3. Enter Name (i.e. WhitelistCustomRule) > Input desired CloudWatch metric name (WhitelistCustomRule) > Choose Regional resources > Click Next

4. Click Add rules > Add my own rules and rule groups.

5. Choose Rule builder > Enter desired Name for the rule (i.e. whitelist-ip-set) > In Type, choose Regular rule > Scroll down

6. Choose If a request doesn’t match the statement (NOT) > Under Inspect, choose Originates from an IP address in > Choose the previously created IP set (i.e., WhitelistedIPs) that contains the allowed public IPs > Source IP address > In Action, choose Block > Add rule.

7. Click Next

8. Under Set rule priority, click Next.

9. Click Next

10. Under Review and create web ACL, scroll down and click Create web ACL

Associating the Custom WebACL rule in the Application Load Balancer

1. Still in WAF & Shield > Web ACLs > Click the previously created WebACL

 

2. Choose Associated AWS resources > Add AWS resources.

 

3. Click Application Load Balancer > Choose the target ALB name (make sure that the WebACL and ALB reside in the same region) > Click Add to finish associating the ALB.

 

Testing if the whitelisting works

1. The traffic is allowed when the IP is within the IP set (i.e., WhitelistedIPs).

2. But the traffic is denied when the IP is not in the IP set (i.e., WhitelistedIPs).

 

3. Even though the security group is exposed to the public internet, traffic is still being denied since WAF provides extra protection.

 

Defined in the design principles is to apply security at all layers. With this approach, the target Application Load Balancer (ALB) will have two layers of protection that restricts traffic so that despite one defense mechanism being misconfigured, there is an extra shield.

 

Get 20% Off – Christmas Big Sale on All Practice Exams, Video Courses, and eBooks!

Tutorials Dojo portal

Learn AWS with our PlayCloud Hands-On Labs

Tutorials Dojo Exam Study Guide eBooks

tutorials dojo study guide eBook

FREE AWS Exam Readiness Digital Courses

FREE AWS, Azure, GCP Practice Test Samplers

Subscribe to our YouTube Channel

Tutorials Dojo YouTube Channel

Follow Us On Linkedin

Recent Posts

Written by: Amiel Palacol

Amiel is a Senior DevOps Engineer based in the Philippines. He has solid hands-on experience in Amazon Web Services (AWS) and loves broadening his technical horizons in the cloud. Currently holds 6 AWS Certifications and outside tech, he loves coffee, games and music.

AWS, Azure, and GCP Certifications are consistently among the top-paying IT certifications in the world, considering that most companies have now shifted to the cloud. Earn over $150,000 per year with an AWS, Azure, or GCP certification!

Follow us on LinkedIn, YouTube, Facebook, or join our Slack study group. More importantly, answer as many practice exams as you can to help increase your chances of passing your certification exams on your first try!

View Our AWS, Azure, and GCP Exam Reviewers Check out our FREE courses

Our Community

~98%
passing rate
Around 95-98% of our students pass the AWS Certification exams after training with our courses.
200k+
students
Over 200k enrollees choose Tutorials Dojo in preparing for their AWS Certification exams.
~4.8
ratings
Our courses are highly rated by our enrollees from all over the world.

What our students say about us?