CDP:WAF Proxy Pattern

From AWS-CloudDesignPattern
Revision as of 00:39, 28 November 2012 by Cdpadmin (Talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
Architect

Effective Use of a Costly Web Application Firewalls

Contents

Problem to Be Solved

Websites that handle sensitive personal information (such as credit card information), such as as e-commerce sites, for example, usually use a web application firewall (WAF) to increase security. However, in AWS Cloud, most of the systems start small, and in most cases no consideration has been given to implementing WAF. There are also many systems that assume that servers will be added or removed through scale-out/in, making the implementation of WAF difficult because it is not possible to define how many licenses will be required.

Explanation of the Cloud Solution/Pattern

Because in the past the WAF was purchased after determining the number of servers, the number of WAF units installed was also unchanging, and thus this has not been a particular problem. However, in the AWS Cloud environment, which allows the number of servers to be increased or decreased at any time, installation of WAF in these servers is not practical; on the other hand, you can install a proxy server upstream and install WAF there. You can structure a proxy server so that only the WAF functions, making it possible to run with a small number of units, thus making it possible to operate with a minimal number of licenses.

Implementation

Locate a proxy server between the EC2 instances and the ELB, and install WAF there. You may install multiple units for redundancy.

  • Prepare a proxy server (an EC2 instance) with WAF installed, between the ELB and the EC2 instances.
  • If necessary, implement in the proxy server middleware for distributing the load, such as HAProxy.

Configuration

2XNdewVsgellO3x8-87A06.png

Benefits

  • This lets you implement WAF without touching the web/AP servers.
  • The number of WAF licenses required is not the number of web/AP servers, but rather is a smaller number, the number of proxy servers.

Cautions

  • Prepare multiple proxy servers as well so as to not make a single point of failure (SPOF).
  • Because the web/AP servers are positioned indirectly relative to the ELB, when increasing or decreasing the number of servers, Auto Scaling will be unable to use the function for attaching the EC2 instances to the ELB automatically.
Personal tools
Namespaces
Variants
Actions
Navigation
Toolbox