Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How do I use AWS WAF to restrict direct traffic to an Application Load Balancer and allow traffic through API Gateway?

3 minute read
0

I want to use AWS WAF to restrict direct access to an Application Load Balancer. I also want to use AWS WAF to allow only direct access through Amazon API Gateway.

Resolution

To use AWS WAF to restrict direct traffic to an Application Load Balancer and allow traffic only through API Gateway, follow these steps.

Add a custom HTTP header

Configure API Gateway to add a custom HTTP header with a secret value in the requests that it sends to the Application Load Balancer.

Complete the following steps:

  1. Open the API Gateway console.
  2. In the navigation pane, choose APIs.
  3. Choose your REST API.
  4. In Resources, choose your HTTP method. For example, GET.
  5. Choose Integration Request tab, and then choose Edit.
  6. Expand the URL request headers parameters section, and then choose Add request headers parameter.
    For Name, enter the name of the header. For example, custom-header.
    For Mapped from, enter the secret header value.
    Note: Make sure you enclose the secret header value in single quotes. For example, 'secret-value'.
  7. Choose Save.

Create a protection pack and rule

Create an empty AWS WAF protection pack that's associated with the Application Load Balancer. Then, create a rule to block requests that don't have the custom HTTP header with the secret value.

Note: If you already have an existing protection pack associated with your Application Load Balancer, then proceed to Create a rule.

Create a protection pack

Complete the following steps:

  1. Open the AWS WAF console.
  2. In the navigation pane, choose AWS WAF.
  3. Choose Resources & protection packs.
  4. Under Protection packs, choose Create protection pack.
  5. Under Tell us about your app, select one or more App categories.
  6. Choose your App Focus.
  7. Under Select resources to protect, choose Add resources.
  8. Choose Add regional resources.Select your Application Load Balancer from the list.
  9. Under Choose protection pack, choose Build your own pack from all of the protections AWS WAF offers. Ignore the right pane.
  10. Under Name and describe, enter a name for your protection pack.
  11. Choose Create protection pack.

Create a rule

Complete the following steps:

  1. Open the AWS WAF console.
  2. In the navigation pane, choose AWS WAF.
  3. Choose Resources & protection packs.
  4. Under Protection packs, select the associated protection pack and choose View and edit next to Rules. This will open a right pane.
  5. In the right pane, choose Add rule.
    Choose Custom rule and select Next.
    Choose Custom rule again and select Next.
  6. To set up your rule, configure the following values:
    For Action, choose Block.
    For Rule name, enter a rule name.
    For If a request, choose doesn't match the statement (NOT).
    For Inspect, choose Single Header.
    For Header field name, enter the custom Header name. For example, custom-header.
    For Match type, choose Exactly matches string.
    For String to match, enter the secret header value.
    Note: Make sure you enclose the secret header value in single quotes. For example, 'secret-value'.
  7. Choose Create rule.
  8. If you have multiple rules in the protection pack, then select Edit rule order in the right pane.
    Move the recently created rule to the highest priority by placing it at the top.
  9. Choose Save rule order.

Related information

How do I integrate an API Gateway REST API with an Application Load Balancer?

Topics
Security, Identity, & Compliance
Tags
AWS WAF
Language
English
AWS OFFICIALUpdated 7 months ago
No comments

Relevant content