How I Did AWS WAF on Lightsail instance
We had a requirement to use WAF in one of our wordpress site. So I created a web acl in WAF console and while listing the resources I realised waf can only be integrated with ALB and Cloudfront. So I fixed this requirement with the following steps
Step 1. You have to create an ALB in default VPC in AWS, if you don’t have one, see https://docs.aws.amazon.com/vpc/latest/userguide/default-vpc.html#create-default-vpc . Since AWS Regions are isolated from one another, a VPC is also isolated in the region where you created it. You’ll need to enable VPC peering in each region where you have Lightsail resources.
for creating ALB See https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-application-load-balancer.html
Things to keep in mind while creating loadbalancer is
The Loadbalancer scheme should be internetfacing as this is a website
For Https listener you’ll need a SSL Certificate issued in AWS Certificate manager
You’ll need http and https ports open in Security group
Step 2. You need to enable VPC peering in LightSail.
- In the Lightsail console, choose Account on the top navigation menu.
- Choose Account from the drop-down.
- Choose the Advanced tab.
- Choose Enable VPC peering under the AWS Region where you want to enable it.
3. Create a target group resource with “Other private IP address” pointing to “private IP” of your LightSail.
To create a target group using the console
- Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
- On the navigation pane, under LOAD BALANCING, choose Target Groups.
- Choose Create target group.
- For Choose a target type, select Instances to register targets by instance ID, IP addresses to register targets by IP address, or Lambda function to register a Lambda function as a target.
- For Target group name, type a name for the target group. This name must be unique per region per account, can have a maximum of 32 characters, must contain only alphanumeric characters or hyphens, and must not begin or end with a hyphen.
- For Protocol and Port, modify the default values as needed. here its TCP protocol and 80
- Here the target type is IP addresses, choose IPv4 as the IP address type
- Choose Other private IP addresses.
- Enter the IP address manually, or find the IP address using instance details. The IP address we provide will be our lightsail instance’s private IP. To get private ip of Lightsail run
10. Enter the ports for routing traffic to the specified IP addresses.
Here we use 80 port
11. Choose Include as pending below.
12. Choose Create target group.
See https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-target-group.html.
Step 4. Now You can attach the target group created in to ALB
Create rule in ALB listener and point to our lightsail ip attached Target Group
Now we can add Loadbalancer record in our dns to route traffic via loadbalancer.
As Now the website now uses ALB we can now create a Web acl and attach to our loadbalancer.
Step 5. Create Web ACL in AWS WAF
- In WAF console click on web acl or you could click on create web acl in WAF dashboard
- Provide Name and description then, cloudwatch metric name is set up based on the name provided.
- For Resource type, choose Regional resources as alb is regional resource
- Now Click on Add AWS resources in Associated AWS resources tab to add our created ALB
5. Next we’ll have to select the rules. You can add managed rules also provide priority to the rules added
6. After adding rules we can set priority for these rules
7. Click on Next and Review the attributes. Once done reviewing you can click on create Web ACL
Now Inorder to check if WAF acl is attached you can use nmap command
nmap -p80 — script http-waf-detect <host>
