1 回答
- 最新
- 投票最多
- 评论最多
0
You could certainly use AWS WAF on an Application Load balancer that is logically behind the firewall using ingress routing on the IGW to target the WAF before traffic is routed to a subnet where the ALB is deployed. You can see an example of this in figure 4 of this blog - https://aws.amazon.com/blogs/networking-and-content-delivery/deployment-models-for-aws-network-firewall/ That said, I would make sure you are getting unique value from the Network Firewall in this architecture. Often you can get the controls you need with the WAF for inbound Web traffic you described. Network firewall doesn't have to be used for all flows in a VPC, you can be selective in which subnets route through the network firewall and when.
相关内容
AWS 官方已更新 2 年前- AWS 官方已更新 1 年前
- AWS 官方已更新 1 年前
Thanks for sharing the comment. So for this scenario how many subnets required. Since i have put firewall in a public subnet and web server in private subnet. Do i need to put the lb in private subnet and another subnet for the server?
Like from internet to firewall subnet then lb subnet then to web server subnet (private)
Correct me if im wrong.
The subnet naming changes a little, but yes the LB would be in a "protected" subnet this is different from public/private subnets as you still assign public IPs to the resources in the protected subnet, but it doesn't have a default route to the IGW, it has a default route to the firewall endpoints