I want to use AWS WAF to restrict direct access to an Application Load Balancer. I also want to use AWS WAF to allow only direct access through Amazon API Gateway.
Resolution
To use AWS WAF to restrict direct traffic to an Application Load Balancer and allow traffic only through API Gateway, follow these steps.
Add a custom HTTP header
Configure API Gateway to add a custom HTTP header with a secret value in the requests that it sends to the Application Load Balancer.
Complete the following steps:
- Open the API Gateway console.
- In the navigation pane, choose APIs, and then choose your REST API.
- In Resources, choose your HTTP method, for example: GET.
- Choose the Integration Request tab, and then choose Edit.
- Expand the URL request headers parameters section, and then choose Add request headers parameter.
- For Name, enter the name of the header, for example: custom-header.
- For Mapped from, enter the secret header value, for example: 'secret-value'.
Note: You must enclose the value in single quotes.
- Choose Save.
Create a web ACL and rule
Create an empty AWS WAF web ACL that's associated with the Application Load Balancer. Then, create a rule to block requests that don't have the custom HTTP header with the secret value.
Note: If you already have an existing web ACL associated with your Application Load Balancer, then proceed to Create a rule.
Complete the following steps to create an AWS WAF web ACL:
- Open the AWS WAF console.
- In the navigation pane, under AWS WAF, choose Web ACLs, and then choose Create web ACL.
- For Region, select the AWS Region where your Application Load Balancer is located.
- For Name, enter a name.
- For Associated AWS resources, select your Application Load Balancer, and then choose Next.
- For Add rules and rule groups, accept the default values.
- Choose Next, and then choose Next again.
- For Request sampling options, choose Enable sampled requests, and then choose Next.
- Review the web ACL configuration. If it matches your specifications, then choose Create web ACL.
Complete the following steps to create a rule:
- Open the AWS WAF console.
- In the navigation pane, under AWS WAF, choose Web ACLs.
- For Region, select the AWS Region where your Application Load Balancer is located.
- Select the associated web ACL.
- Choose Rules, and then choose Add Rules, Add my own rules and rule groups.
- For Name, enter a rule name, and then choose Regular Rule.
- For If a request, choose doesn't match the statement (NOT).
- On Statement 1, do the following:
For Inspect, choose Single Header.
For Header field name, enter the custom Header name, for example: custom-header.
For Match type, choose Exactly matches string.
For String to match, enter the secret header value, for example: 'secret-value'.
Note: Confirm that you enclosed the value in single quotes.
- For Action, choose Block.
- Choose Save rule.
- For Set rule priority, set the rule to the highest priority.
- Choose Save.
Related information
How do I integrate an API Gateway REST API with an Application Load Balancer?