Post

AWS Application Load Balancer with WAF

Posted
By Sena Perdiana 2 min read

AWS Elastic Load Balancing (ELB) automatically distributes incoming application traffic across multiple targets—such as EC2 instances, containers, and IP addresses—to ensure high availability and robust fault tolerance.

  • Application Load Balancer (ALB): Operates at Layer 7 (HTTP/HTTPS) and is best suited for modern web applications, offering advanced request routing based on content like URL paths, headers, or hostnames.
  • Network Load Balancer (NLB): Operates at Layer 4 (TCP/UDP) and is designed for extreme performance, capable of handling millions of requests per second with ultra-low latency.
  • Gateway Load Balancer (GWLB): Combines a transparent network gateway (Layer 3) with load balancing (Layer 4) to easily deploy, scale, and manage fleets of third-party virtual appliances like firewalls and intrusion detection systems.


Application Load Balancer

Here we have 2 linux instances serving web on port 8080

x

x


We’ll create a Target Group to contain those 2 instances so we can later use it as load balancing target. Here we select Protocol HTTP on port 8080

x


Then we select the VPC that the instances are in, and select the health check target protocol & directory

x


Next we select the 2 linux instances

x


Review and hit Create

x


Now we have a Target Group

x

x


After that, we’ll create the Application Load Balancer

x


Give it name and select the scheme

x


Then select the VPC, btw the load balancer requires us to have at least 2 different subnets on 2 different zones, thats why we added a second ‘placeholder’ subnet

x


Next on the listener, we’ll select HTTP on port 80 with the target being the Target Group we created earlier

x


Review and hit Create

x


After couple minutes, the ALB is up and running

x

x


And when we acces the Load Balancer DNS Name, we are being served by both linux instances thats being load balanced

x

x


Web Application Firewall

AWS WAF sits on our ALB to filter traffic using customizable rules before it hits our servers. In this lab, we will enforce geo-blocking to deny access from specific countries and rate limiting to automatically ban IPs that send too many requests.

First we will create a new Protection Pack (Web ACL) that protects our ALB

x

x


For the first rule, we will select a custom rule and then Geo-based rule

x

x


Then we create a rule to block any traffic orignating from Russia & China

x


Next for the second rule, we will select Rate-based rule

x


And create throttling rule to limit traffic to have max rate limit of 10 requests per minute

x


Now we have both our rules configured inside this Web ACL

x


Finally give it name and hit create

x

x


Now if we try accessing the ALB from Russia or China, we will be denied

x


We can see this report on the WAF Dashboard

x


And if we try to brute force the ALB we will get error 429 Too Many Requests

x


We can also see this report on the dashboard

x


Cloud, Amazon Web Services (AWS)
AWS
This post is licensed under CC BY 4.0 by the author.