Skip to main content

Blocking Web Traffic with WAF in AWS

Hands-On Lab

 

Photo of

Training Architect

Length

00:30:00

Difficulty

Intermediate

This activity provides you with the opportunity to get hands-on experience solving a real-world scenario where we want to block web traffic from a malicious source. The AWS WAF service protects your web applications from common exploits that could affect availability, compromise security, or consume excessive resources. WAF monitors HTTP requests directed at Amazon CloudFront or an Application Load Balancer. In this learning activity, we'll focus on the Load Balancer.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Blocking Web Traffic with WAF in AWS

Introduction

Sometimes we need to block web traffic from a malicious source. The AWS WAF service protects web applications from common exploits that could affect availability, compromise security, or consume excessive resources. WAF monitors HTTP requests directed at Amazon CloudFront or an Application Load Balancer. In this hands-on lab we'll configure WAF keep traffic originating at a particular source from ever reaching our Load Balancer.

The Scenario

We've got a VPC (containing a couple of web servers, bastions hosts, and a load balancer) that needs protecting. We're going to set up an AWS WAF between our VPC and the internet, to block traffic from a host on a particular public IP address that's already shown malicious intent. To do this, we've got to:

  • Create a web ACL
  • Create a condition and associate it with that "bad actor" host
  • Create a rule that actually blocks the traffic

Logging In

Use the credentials on the hands-on lab overview page to log into the AWS web console, and let's make sure we're in the us-east-1 region.

Determine What to Block and What to Protect

Let's head over to the EC2 dashboard. In there is an instance named internet-host. This is our nemesis, and what we need to block. Highlight it, and make note of its public IP.

Now navigate to Load Balancers (in the far left-hand menu), and highlight the only one that's in there. This is what we need to protect, so make note of its DNS name for later.

Just to check for current connectivity, log into that internet-host with SSH as cloud_user, then try to get the HTML headers from the load balancer. Run

curl -i load-balancer...

We'll just replace load-balancer... there with the DNS Name we got. Note the 200 OK line we get in the response. That will instead be a 403 error once we've got the WAF in place.

Create Web ACL

Navigate to (or search for) WAF & Shield, then click on Go to AWS WAF. In there, click Configure web ACL, then Next. In this form, set these values:

  • Web ACL name: myacl
  • CloudWatch metric name: myacl
  • Region: US Ease (N. Virginia)
  • AWS resource to associate: load-balancer

Now click Next to move on.

Create Condition

This is where we're going to specify the if in the if/then firewall setup. If traffic matches this IP, then block it. Scroll down this next screen and click the Create condition in the IP match conditions section. In the form we've now landed in, we'll use these values:

  • Name: host-ip-condition
  • Region: US Ease (N. Virginia)
  • IP Version: IPv4
  • Address: x.x.x.x/32 (This is the IP address of internet-host with a /32 after it)

Now click Add IP address or range, then the Create button at the bottom of the screen. Once that's done, click Next, again at the bottom of the screen. This will take us to the rule creation part of the job.

Create Rule

In this screen, let's click Create rule. In the next form, we'll set these values:

  • Name: host-rule
  • CloudWatch metric name: hostrule (This will auto-populate)
  • Rule type: Regular rule
  • Region: US Ease (N. Virginia)

Down in the Add conditions section, we'll leave the first dropdown set to does, choose originate from an IP address in from the list in the second dropdown, and then pick host-ip-condition in the last one. Click Create down at the bottom of the screen, and we can move on.

In the next screen, we won't be touching much. Down in the lower part of the window, we need to set the Default action to Allow all requests that don't match any rules. Once that's done, we can click Review and create, then Confirm and create on the next screen.

Testing

It looks like the rule is set up, but let's head back into the SSH session we had open earlier and check. Run that same curl command that we ran before, and this time around we should get a 403 Forbidden error.

To reverse what we just did (remove the rule), we can get back into the browser window. If we're not in the right spot already, from the main AWS console it's WAF & Shield > AWS WAF > Web ACLS.

In there we can see the host-rule we set up, so we'll click the Edit web ACL button to make changes. In the Edit screen, click the blue X button on the right hand side, then click Update. Now if we run the curl command again, over in our terminal, we'll get a 200 OK message again.

Conclusion

What we've done here is gone through the process of protecting a load balancer, tucked inside a VPC, from an external threat on a particular IP address. There are all sorts of other applications for this, but we've at least gone through the process. Congratulations!