- 최신
- 최다 투표
- 가장 많은 댓글
Hello.
For layer-7 protection for an API the recomended service is Web Application Firewall, WAF protection is improved when integrated with Shield Advanced.
For using WAF (L7) with Shield Standard (L3-4) I would suggest you check the WAF Security Automation solution that using WAF and integrating other serverless technologies has bot protection, https-flood prevention and ease use of block/allow ip-lists. Deployment is straight forward following the deployment guided and using CloudFormation
To read about Shield Advanced (L7 plus other features) protections with WAF you can look at this page.
Addingt to my response: There are several layers of protection you can use, Network Firewall is not designed for large DDoS as AWS Shield Advanced is pre-existing service for this purpose and has other important benefits as incident response team. Customers can take advantage of Shield Advanced even when choosing other firewall or perimeter protection solutions from recognized security partners.
its primary purpose is not to mitigate large-scale DDoS attacks, especially volumetric attacks that can impact the availability of your application. AWS Network Firewall is designed to provide fine-grained control over network traffic, and it can be used to block specific IP addresses.
For Layer 7 DDoS protection, you can consider a combination of AWS Shield Advanced and AWS WAF (Web Application Firewall). AWS Shield Advanced provides DDoS protection at the network and transport layers (Layers 3 and 4). AWS WAF, on the other hand, offers Layer 7 protection by allowing you to create custom web access control rules based on various parameters such as IP addresses, HTTP headers, query strings, etc.
The answer is that while you can use Amazon Network Firewall (ANF) for IP blocking, be aware that it does have a per-AZ maximum capacity.
We would recommend using AWS WAF with one of the services it integrates with for this purpose, however you may have requirements that do not lend themselves to using AWS WAF, such as TLS termination.
I see you have Shield Advanced and your main worry is layer 7 attacks - I would recommend that instead of using Network Firewall you instead place Global Accelerator in front of the endpoints and protect AGA with a Shield Advanced custom mitigation that blocks traffic from our "Layer 7 known offenders" list (which is same list that the AWS WAF IPDDosList is sourced from). To inquire about working with SRT to build custom mitigations, create a support case under AWS Shield.
If you have reasons for instead using ANF, you can still contact SRT to discuss a custom mitigation appropriate for your use-case.
관련 콘텐츠
- AWS 공식업데이트됨 2년 전
- AWS 공식업데이트됨 2년 전
- AWS 공식업데이트됨 일 년 전
- AWS 공식업데이트됨 2년 전
Hello, I appreciate your answer, however I don’t think it answers the question being asked. My question is specifically around the recommendation from the FAQ.