- Newest
- Most votes
- Most comments
I'd note that traffic does not flow through Route 53. The DNS lookup process happens before traffic flows; and once the client has performed the DNS lookup (using Route 53) then the traffic flows directly from the client to the IP address that was returned by Route 53. Route 53 is never in the traffic path.
With that said:
WAF can be attached to an Application Load Balancer or to a CloudFront distribution. So you could put an ALB in front of your firewall - the ALB would have a public IP address and you could then deliver the traffic to it; have it processed by WAF; then passed through the firewall to your workloads. This is described in some detail in this blog post. I'd note that there are a couple of different ways of doing this but in general the answer is "yes".
For traffic that is not going to the ALB you would have an Elastic IP on the firewall itself (as you probably do now) and the existing DNS lookups will return that IP address and clients will continue to connect to it. Note that it makes the diagrams on the blog post look a bit "messy" and there are considerations around route tables and how things are routed but it can be made to work.
There are also cases where this won't work depending on how your routing and firewall policies are configured. There might be situations where you will need separate firewalls for different ingress and egress patterns. These might also be situations where Gateway Load Balancer is useful - this is also covered in the blog post.
This is a fairly complex area - it may be worthwhile reaching out to your local AWS Solutions Architect to discuss your requirements.
Also, please check on the ingress patterns references here which outlines different scenarios - https://aws.amazon.com/blogs/networking-and-content-delivery/design-your-firewall-deployment-for-internet-ingress-traffic-flows/ https://aws.amazon.com/blogs/networking-and-content-delivery/deployment-models-for-aws-network-firewall/
Relevant content
- asked a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago