CDP:WAF Proxy Pattern
Effective Use of a Costly Web Application Firewalls
Problem to Be Solved
Websites that handle sensitive personal information (such as credit card information), such as as e-commerce sites, for example, usually use a web application firewall (WAF) to increase security. However, in AWS Cloud, most of the systems start small, and in most cases no consideration has been given to implementing WAF. There are also many systems that assume that servers will be added or removed through scale-out/in, making the implementation of WAF difficult because it is not possible to define how many licenses will be required.
Explanation of the Cloud Solution/Pattern
Because in the past the WAF was purchased after determining the number of servers, the number of WAF units installed was also unchanging, and thus this has not been a particular problem. However, in the AWS Cloud environment, which allows the number of servers to be increased or decreased at any time, installation of WAF in these servers is not practical; on the other hand, you can install a proxy server upstream and install WAF there. You can structure a proxy server so that only the WAF functions, making it possible to run with a small number of units, thus making it possible to operate with a minimal number of licenses.
Locate a proxy server between the EC2 instances and the ELB, and install WAF there. You may install multiple units for redundancy.
- Prepare a proxy server (an EC2 instance) with WAF installed, between the ELB and the EC2 instances.
- If necessary, implement in the proxy server middleware for distributing the load, such as HAProxy.
- This lets you implement WAF without touching the web/AP servers.
- The number of WAF licenses required is not the number of web/AP servers, but rather is a smaller number, the number of proxy servers.
- Prepare multiple proxy servers as well so as to not make a single point of failure (SPOF).
- Because the web/AP servers are positioned indirectly relative to the ELB, when increasing or decreasing the number of servers, Auto Scaling will be unable to use the function for attaching the EC2 instances to the ELB automatically.