Can we place AWS WAF behind AWS Network Firewall

0

Hi,

Im trying to deploy a AWS WAF behind the AWS Network firewall.

Currently my setup has two Subnets under one VPC Public and Private. Under Public Subner have give the firewall to work and private subnet for the WEB server just enabled http service. Right now im trying to deploy AWS WAF behind the Network Firewall. Is this possible or how should i take this forward on this.

1 Answer
0

You could certainly use AWS WAF on an Application Load balancer that is logically behind the firewall using ingress routing on the IGW to target the WAF before traffic is routed to a subnet where the ALB is deployed. You can see an example of this in figure 4 of this blog - https://aws.amazon.com/blogs/networking-and-content-delivery/deployment-models-for-aws-network-firewall/ That said, I would make sure you are getting unique value from the Network Firewall in this architecture. Often you can get the controls you need with the WAF for inbound Web traffic you described. Network firewall doesn't have to be used for all flows in a VPC, you can be selective in which subnets route through the network firewall and when.

AWS
EXPERT
answered a year ago
  • Thanks for sharing the comment. So for this scenario how many subnets required. Since i have put firewall in a public subnet and web server in private subnet. Do i need to put the lb in private subnet and another subnet for the server?

    Like from internet to firewall subnet then lb subnet then to web server subnet (private)

    Correct me if im wrong.

  • The subnet naming changes a little, but yes the LB would be in a "protected" subnet this is different from public/private subnets as you still assign public IPs to the resources in the protected subnet, but it doesn't have a default route to the IGW, it has a default route to the firewall endpoints

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions