Blocking web traffic with WAF in AWS

Lab Details

1. This lab walks you through the steps to block web traffic with a WAF (web application firewall) in AWS.
   
2. Duration: 1 Hour
   
3. AWS Region: US East (N. Virginia)
   

Introduction

WAF (web application firewall)

1. AWS WAF is a web application firewall that helps you to protect your web applications against common web exploits that might affect availability and compromise security.
   
2. AWS WAF gives you control over how traffic reaches your applications by enabling you to create security rules that block common attack patterns like SQL injection and cross-site scripting.
   
3. It only allows the request to reach the server based on the rules or patterns you define.
   
4. Users create their own rules and specify the conditions that AWS WAF searches for in incoming web requests.
   
5. The cost of WAF is only for what you use.
   
6. The pricing is based on how many rules you deploy and how many web requests your application receives.
   
7. For example, you can deploy AWS WAF on Amazon CloudFront with an Application Load Balancer in front of your web servers or servers running on EC2.
   

Features of WAF

Web traffic filtering using custom rules

• You can create your own rules, depending on your requirements, whether to block or allow the incoming and outgoing request. You can also customise the string that appears in your web request.
  

 Blocking malicious requests

• You can also configure rules in AWS WAF to identify and block web requests threats like SQL injections and cross-site scripting.
  

Tune your rules and monitor traffic

• AWS WAF also allows us to review our rules and customize them to prevent new attacks from reaching the server.
  

Lab Description

Bastion Server

• A bastion host is a system that is exposed to the internet launched in a public subnet.
  
• In terms of security, Bastion is the only server which is exposed to the internet and should be highly protective to attacks.
  
• Bastion host is also known as a Jump Box. It is a computer that acts like a proxy server and that allows the client machine to connect to the remote server.
  
• It usually resides outside the firewall.
  
• The Bastion server filters the incoming traffic and prevents the unwanted connections entering the network thus acting like a gateway.To maintain the security of bastion hosts, all unnecessary software, daemons and users are removed.
  

Application Load Balancer (ALB)

• Load Balancer, a service that allows you to distribute the incoming application or network traffic across multiple targets, such as Amazon EC2 instances, containers, and IP addresses, in multiple Availability Zones.
  
• ALB is used to route the HTTP and HTTPS traffic across the targets based on the rules attached with the target group.
  
• Rules determine what action is taken when a rule matches a client request.
  
• The target group is used to route requests across registered targets as part of an action rule. Target groups consist of a protocol and target port. We can also configure health checks to monitor the status of the target group. A single  ALB can route traffic to multiple target groups.
  
• Targets consist of EC2 instances  that are registered with the ALB as part of a target group.
  

Web servers

• Two web servers are launched in the Private subnet to handle the web request.
  
• The request the to web servers are shared using the ALB.
  
• Web servers are attached to the ALB Target group.
  
• Servers are pre-installed with HTTPD on both servers and have the test pages RESPONSE COMING FROM SERVER 1 and RESPONSE COMING FROM SERVER 2 respectively.
  
• They are attached to a security group via port 22 that allows the SSH connection only from Bastion server and port 80 that allows the web traffic coming from ALB.
  

Architecture Diagram
     
Lab Tasks

1. In this lab, we will launch two web servers with an HTTPD service installed in them.
   
2. An Application Load Balancer (ALB) with the target group routing the traffic to the load balancer.
   
3. Creating an IP set in WAF i.e list of IPs to block. Here we are adding our IPv4 by getting it from https://www.whatismyip.com/.
   
4. Creating an ACL rule in WAF using the IP set created in the above step.
   
5. Testing the Response of the Load balancer without applying the WAF ACL.
   
6. Applying WAF rule to the Application Load Balancer.
   
7. Testing the working of the ALB.
   

Steps

Creating Security group for Load balancer

1. Navigate to the EC2 Dashboard and scroll down to . In the left menu, click on 
   
2. Configure the security group as follows:
   

• Security group name: LoadBalancer-SG
  
• Description : Security group for Load balancer
  
• VPC : Leave as default
  
• Click on  and add the port as follows
  
  • Port         : 80
    
  • Protocol    : HTTP
    
  • Source    : 0.0.0.0/0
    
• Once you provide the above details, click on  and the security group for the load balancer will be created.
  

Steps to create the Web-servers

1. Click on .
   
2. Choose an Amazon Machine Image (AMI): 
   
3. Instance Type             : t2.micro
   
4. Configure Instance Details:
   

• Number of instances    : 1
  
• Auto-assign Public IP    : Select Enable
  
• Click on .
  
• Under the User data section, enter the following script to create an HTML page served by an Apache HTTPD web server.
  

  #!/bin/bash yum install httpd24 -y service httpd start chkconfig httpd on echo “RESPONSE COMING FROM SERVER  A” > /var/www/html/index.html

  1. Now click on 
     
  2. Add Storage: No need to change anything in this step, click on 
     
  3. Add Tags: Click on 
     
• Key               : Enter Name
  
• Value             : Enter webserver-A 
  
• Click on : 
  

1.  Configure Security Group:
   

• Name        :  Enter webserver-SG
  
• Description    :  Type security group for webserver
  
• To add SSH
  
  • Choose Type        : Select 
    
  • Source        : Choose 
    
• To add HTTP
  
  • Choose Type    : HTTP
    
  • Source        : Choose LoadBalancer-SG
    

  
  

1. After that, click on 
   
2. Key Pair : Create a new key pair named webkey and click on  . The key pair will be downloaded to your local system. After that, click on .
   
3. After a few minutes, you will see new instance named    webserver-A running along with Bastion-server created in the earlier step.
   
4. Repeat the above steps to create Webserver-B by selecting the existing security group  webserver-SG providing the following details:
   

• Name: webserver-B
  
• Security Group name:  webserver-SG 
  
• Key Name: webkey.
  

1. Navigate to the EC2 Dashboard to find the two instances (webserver-A and webserver-B) running.
   

 Creating a Load balancer

1. In the EC2 console, navigate to  in the left side panel.
   
2. Click on  on top left to create a new load balancer for our web servers.
   
3. On the next screen, choose  since we are testing the high availability of our web application.
   
4. In configure the load balancer, provide the following details:
   

• Name        : Enter Web-server-LB
  
• Scheme    : Select Internet-facing
  
• Ip address type    : Choose ipv4
  
• Listener        : Default (Http:80)
  
• Availability Zones
  
  • VPC             : Choose Default
    
  • Availability Zones  : Select All Availability Zones , 
    

  (Note: we must specify the availability zones in which the load balancer needs to be enabled so it can route the traffic only to the targets launched in those availability zones. You must  include subnets from a minimum of two Availability zones to make our Load balancer Highly Available.)
  

1. Once filling in all the details above, ignore the warning and click on 
   
2. Configure Security Settings:
   

• Select an existing security group and chose the security group LoadBalancer-SG that we created in the above step.
  

  
  

1. configure Routing 
   

• Target Group: Select New target group (default)
  
  • Name        : Enter web-server-TG
    
  • Target Type    : Select Instance
    
  • Protocol    : Choose HTTP
    
  • Port        : Enter 80
    
  • Note: The target group is used to route requests to one or more registered targets
    
• Health check:
  
  • Protocol    : Choose HTTP
    
  • Path        :Enter  /index.html
    
  • Click on 
    
  • Note: The load balancer periodically sends pings, attempts connections, or sends requests to test the EC2 instances. These tests are called health checks.
    
  • Create an index.html file the default Apache document root /var/www/html of web servers to pass the health check. This can be done by navigating to the route and executing the command: echo “hello world” > index.html
    

1. Registering Targets
   

• Choose the two web instances, click on  and click on .
  

  
  

1. Once you reviewed the settings, click on .
   
2. You have successfully created the Application Load balancer. Wait for 2 to 3 minutes for the Load balancer to become Active.
   

   
   

Testing the Load Balancer

1. Navigate to  and select the load balancer that you created. Click on  , copy the  and paste it in the browser
   

1. Refresh the browser a few times and you will see the request is serving from both servers. You will see the output as RESPONSE COMING FROM SERVER A & RESPONSE COMING FROM  SERVER B. This shows that load is shared between the two web servers via Application Load Balancer.
   

Creating an IP set

1. Click on  and select  under the  section.
   
2. Select  in the right side menu and click on  
   
3. On the next screen, fill out the following details under Create IP set.
   

• IP set details:
  
  • IP set name    : MyIPset
    
  • Description    : IP set to block my public IP
    
  • Region           : US EAST (N.Virginia )
    
  • IP Version      : IPv4
    
  • IP address     : IP of your local network/32 from https://www.whatismyip.com/.
    
  • Note: You have to give /32 after the IP is pasted or else you won’t be able to create an IP set.
    
• Once you have provided the above details, click on 
  

Creating a web ACL

1. Web ACL details
   

• Navigate to the AWS WAF dashboard and select  . Click on  to create a new web ACL.
  
• Configure the ACL as below:
  
  • Web ACL details
    
    • Name                                  : MywebACL
      
    • Description                           : ACL to block my public IP
      
    • CloudWatch metric name    : Leave Default
      
    • Resource type        : Regional resources  (Application Load Balancer and API Gateway)  
      

    • Region                                : US EAST (N.Virginia)
      
    • To associate an AWS resource, click on 
      
    • In Add AWS resources select Application Load Balancer and select the name of ALB. Click on 
      

  
  

• Lastly click on .
  

1. Add rules and rule groups
   

• Under Rules click on  and select   in the drop-down menu.
  
• In Rule type select IP set  as shown below and fill the details as given below:
  
  • Rule type    :  IP set 
    
  • Name          :  MywebACL-rule
    
  • IP set           :  select the IP set created Above ( MyIPset )
    
  • Action          : Block
    
• Once you provide the above details, click on .
  
• Lastly click on .
  

1. Set rule priority
   

• Leave as default and click on .
  

1. Configure metrics
   

• Leave as default and click on .
  

1. Review and create web ACL
   

• Review all your inputs and click on 
  

1. Wait for 1 or 2 minute until you will see that your web ACL is successfully created.
   

1. You have successfully created a web ACL for ALB with the help of an IP set created with your public IP.
   

Testing the working of the WAF

1. To test the WAF, navigate  to  from the EC2 left menu under the sub-heading Load balancing
   
2. Under the Load balancer section, select the Application load balancer awf-alb.
   
3. Copy the DNS name under Description and paste it in your desired browser.
   

• Example: awf-alb-624780576.us-east-1.elb.amazonaws.com
  

  
  

1. You will get a 403 forbidden error showing that WAF blocked your connection to ALB.
   

Unblocking the IP

1. To unblock the IP, navigate to  and click on MyIPset. Select your public IP and then click on 
   

1. Enter your IP followed by CIDR /32 from the link: https://www.google.com/search?client=firefox-b-d&q=what+is+my+ip/
2. Type delete in the confirmation box and click on .
   
3. You have successfully removed the IP from WAF.
   
4. Wait for a few minutes.
   
5. Navigate to  from EC2 left menu under the sub-heading Load balancing
   
6. Under the Load balancer section, select the Application load balancer awf-alb.
   
7. Copy the DNS name under Description and paste it in your desired browser.
   

• Example: awf-alb-624780576.us-east-1.elb.amazonaws.com
  

1. You will get the response from the web servers either stating RESPONSE COMING FROM SERVER 1 or RESPONSE COMING FROM SERVER 2 as shown below:
   

Completion and Conclusion

1. You have successfully created an IP set using your public IP.
   
2. You have successfully created a web ACL rule using an IP set and application load balancer (ALB).
   
3. You have successfully tested the working of the ALB after implementing a WAF, blocking the web request to the ALB from your local network.
   
4. You deleted the IP set and tested the working of the ALB.