AWS Web Application Firewall Grows Protection with Application Load Balancer Coverage

  • December 19, 2016
AWS recently announced the expansion of the AWS Web Application Firewall (WAF) to include coverage for application load balancers. Working with a wide variety of organizations to design and build secure applications within the AWS cloud, we frequently call upon WAF as a critical component of our solution. In fact, we were recently recognized for having achieved AWS Service Delivery Partner Status for AWS WAF.

Before we walk through what this AWS news means and why the AWS security experts here at Flux7 are looking forward to it, let’s do a quick review of the two technologies at play. First, AWS WAF is a service that lets you monitor web requests and protect your web applications from malicious requests. We use  WAF in our engagements to block or allow requests based on rules that we create. For example, we can block specific IP addresses or what would be non-human patterns of behavior, potentially indicative of DDOS attacks. Amazon Web Application Firewall also comes with preconfigured protections to block common attacks like SQL injection or cross-site scripting.

Joining WAF in this announcement are Application Load Balancers, which are a load balancing option that operates at the application layer. Application load balancing allow users to define routing rules based on content across multiple services or containers running on one or more EC2 instance.

Historically, one could only use Amazon WAF if you were using Amazon CloudFront. Although this represents a reasonable architecture, it has a notable limitation: The application has to be configured to use CloudFront. While this in and of itself is not a major challenge, our AWS Security consultants have run into issues (more than once) with older legacy applications whose cookie management does not always get along nicely with CloudFront. We have overcome this challenge by working directly with developers to fix their applications so that its cookie management works with CloudFront.

The announcement that WAF will now work with application load balancers — both internal and external — completely releases us from the CloudFront requirement and need to work with application developers on cookie management. In addition to saving time and work on that front, we can also now use WAF more heavily knowing we will not run into these issues. This is terrific news as we work often with organizations who have stringent security needs and significant compliance requirements and deep protection is not just needed, but required.

As a WAF Service Delivery Partner, we are looking forward to using WAF with application load balancers to ensure compliance and further our WAF service, helping customers implement AWS WAF to protect their web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. AWS Web Appliation Firewall is part of Flux7 best practice architectures that are designed and built to achieve development and operational productivity, security and availability. In fact, AWS WAF has been an integral part of several mission-critical deployments by Flux7 where PCI Tier-1 and HIPAA standard compliance was required.

If you are interested in learning more about protecting your AWS environment with AWS WAF and other AWS security best practices, please read more on our Security with Agility page. 

Did you find the AWS News insights in this article helpful? Please sign up below to get regular news and analysis like this to your inbox.

Subscribe to our blog


Related Blog Posts