Enhancing Your AWS Security with WAF

Step-by-Step Guide

Are you interested to learn about AWS WAF and its use cases?

Well, today in this guide, we’ll go through the steps to block web traffic with a WAF (web application firewall) in AWS.

Introduction

What’s WAF (web application firewall)?

AWS WAF is a web application firewall that helps you protect your web applications against common web exploits.

Features of WAF

Web traffic filtering using custom rules

Depending on your requirements, you can create your own rules, whether to block or allow incoming and outgoing requests.

You can also customize the string that appears in your web request.

Blocking malicious requests

You can also configure rules in AWS WAF to identify and block web request threats like SQL injections and cross-site scripting.

Architecture Diagram

Task Steps

Step 1: Basic Setup

Sign In to the AWS Management Console, Make the default AWS Region as US East (N. Virginia) us-east-1

Step 2: Create a Security group for the Load balancer

Navigate to the EC2 Dashboard and scroll down to Security Groups. In the left menu, click on Create Security Group.

Configure the security group as follows:

• Security group name: Enter LoadBalancer-SG

• Description: Enter Security group for the Load balancer

• VPC: Leave as default

• In Inbound rules, Click on Add Rule and add the port as follows.

  • Type: Select HTTP

  • Protocol: TCP

  • Port range: 80

  • Source: Select Custom, and enter 0.0.0.0/0

• Once you provide the above details, click on Create and the security group for the load balancer will be created.

Step 3: Steps to create the Web-servers

Make sure you are in the US East (N. Virginia) Region. Navigate to Instances on the left panel and click on Launch instance.

Have the following configurations:

Name: Enter webserver-A

Amazon Machine Image (AMI): Amazon Linux 2 AMI

Instance Type: Select t2.micro

For Key pair: Select Create a new key pair Button

• Key pair name: ServerKey

• Key pair type: RSA

• Private key file format: .pem

• Select the Create key pair Button

In Network Settings Click on the Edit button:

• Auto-assign public IP: Enable

• Choose Create security group

• Name: Enter webserver-SG

• Description: Enter security group for the webserver

To add HTTP Click on Add security group rule

• Choose Type: Select HTTP

• Source Type: Custom

• Source: Choose LoadBalancer-SG

To add SSH

• Choose Type: Select SSH

• Source: Choose Anywhere

Click on Advanced Details.
Under the User data section, enter the following script to create an HTML page served by an Apache HTTPD web server.

#!/bin/bash
sudo su
yum update -y      
yum install -y httpd            
systemctl start httpd  
systemctl enable httpd      
echo "Response coming from server A" > /var/www/html/index.html

Then finally, Click on Launch Instances.

After a few minutes, you will see a new instance named webserver-A running.

Repeat the above steps to create Webserver-B by selecting the existing security group webserver-SG providing the following details:

#!/bin/bash        
sudo su        
yum update -y      
yum install -y httpd        
systemctl start httpd      
systemctl enable httpd                  
echo "Response coming from server B" > /var/www/html/index.html

Step 4: Creating a Load balancer

In the EC2 Console, Navigate to Target Groups, present in the left panel under Load Balancing. Then Click on the Create target group.

For Step 1, Specify group details, under Basic configurations

• Choose a target group: Choose Instances

• Target group name: Enter web-server-TG

• Keep all the settings as default.

• Health check protocol: HTTP

• Health check path: Enter /index.html

Then Scroll to the end of the page and click on the Next button.

For Step 2, Register targets

Select both instances and click on the Include as pending below button.

Instances will be present in the Review targets part, having health status as Pending.

Then Click on the Create target group button.

Now, The Target group is created.

In the EC2 console, navigate to Load balancers in the left-side panel.

Click on create load balancer at the top-left to create a new load balancer for our web servers. Select Load Balancer Type as an Application load balancer.

To create an Application load balancer, configure the load balancer as below

For the Basic configuration section,

• Name: Enter Web-server-LB

• Scheme: Select Internet-facing

• IP address type: Choose IPv4

For the Network mapping section:

• VPC: Select Default

• Mappings: Select all the Availability zones present

For the Security groups section,

Select the LoadBalancer-SG Security group from the dropdown and remove the default security group.

For the Listeners and routing section,
The listener is already present with Protocol HTTP and Port 80. Select the target group web-server-TG for the Default action forwards to option.

Keep the tags as default and click on the Create load balancer button.

You have successfully created the Application Load balancer. Click on the View load balancers button. Wait for 2 to 3 minutes for the load balancer to become Active.

Step 5: Testing the Load Balancer

Navigate to the Load Balancers and select the load balancer that you created. Under details scroll down then you will be able to see the DNS name, copy the DNS name, and paste it into the browser.

Refresh the browser a few times and you will see the request is serving from both servers.

You will see the output as RESPONSE COMING FROM SERVER A & RESPONSE COMING FROM SERVER B.

This shows that load is shared between the two web servers via the Application Load Balancer.

Step 6: Creating an IP set

Click on services and select WAF & Shield under the Security, Identity, & Compliance section.

On the left side, you will be able to see the IP sets menu. Click on IP sets and click on Create IP sets.

On the next screen, fill out the following details under Create IP set.

IP set details:

• IP set name: Enter MyIPset

• Description: Enter IP set to block my public IP

• Region: Select US EAST (N.Virginia )

• IP Version: Select IPv4

• IP address: Enter the IP of your local network/32, Get your ip from

  (whatismyip .com)

Note: You have to give /32 after the IP is pasted or else you won’t be able to create an IP set.

Once you have provided the above details, click on Create IP set

Step 7: Creating a Web ACL

Web ACL details

Navigate to the AWS WAF dashboard and select Web ACLs. Click on Create web ACL to create a new web ACL.

Configure the ACL as below:

Web ACL details

• Name: Enter MywebACL

• Description: Enter ACL to block my public IP

• Resource type: Select Regional resources (Application Load Balancer and API Gateway)

• Region: Select US EAST (N.Virginia)

To associate an AWS resource, click on Add AWS resources

In Add AWS resources select Application Load Balancer and select the name of ALB. Click on Add

Now, click on the Next button then Add rules and rule groups

Under Rules click on Add rule and select Add my own rules and rule groups in the drop-down menu.

In Rule type select IP set as shown below and fill in the details as given below:

• Rule type: Select IP set

• Name: Enter MywebACL-rule

• IP set: select the IP set created Above ( MyIPset )

• IP address to use as the originating address: Source IP address

• Action: Select Block

Once you provide the above details, click on the Add rule.

Then, click on the Next button

Leave Set rule priority as default and click on Next.

For Configure metrics sections too, Leave it as default and click on Next.

Finally, Review all your inputs and click on Create web ACL

Wait for 1 or 2 minutes until you will see that your web ACL is successfully created.

Now, You have successfully created a web ACL for ALB with the help of an IP set created with your public IP.

Step 8: Testing the working of the WAF

To test the WAF, navigate to Load Balancers from the EC2 left menu under the sub-heading Load balancing,

Under the Load balancer section, select the Application load balancer Web-server-LB.

Copy the DNS name Under details scroll down you will be able to see the DNS name copy it and paste it in your desired browser.

• Example: web-server-lb-1826495123.us-east-1.elb.amazonaws.com

You will get a 403 forbidden error showing that WAF blocked your connection to ALB.

Step 9: Unblocking the IP

To unblock the IP, navigate to IP sets and click on MyIPset. Select your public IP and then click on Delete

Type delete in the confirmation box and click on Delete.

Now, You have successfully removed the IP from WAF. Wait for a few minutes.

Then Navigate to Load Balancers from the EC2 left menu under the sub-heading Load balancing

Under the Load balancer section, select the Application load balancer Web-server-LB.

Copy the DNS name under Description and paste it into your desired browser.

You will get the response from the web servers either stating RESPONSE COMING FROM SERVER A or RESPONSE COMING FROM SERVER B as shown below:

You’re all done! Congratulations!

Stay Tuned! For more detailed insights and continuous updates.

This much for today, See you on the Next.