In this blog, we will show the steps to create WAF to block geographic restrictions.
- AWS Subscription.
WINDOWS APPLICATION FIREWALL (WAF) OVERVIEW
- WAF works with Conditions, Rules, Web ACL & Associations. Please check the below overview image.
- There are 6 types of conditions are available in WAF. They are Cross-site Scripting, Geo match, IP addresses, SQL injection & String and regex matching.
- Once you defined the conditions, you add the rules using AND conditions. There are two types of rules available. They are Regular rule and Rate-based rule.
- The next step is to configure Web ACL to allow, deny (or) count the request based on the rule.
- Finally, we need to decide to whom to associate the above three entities. WAF cannot associate directly with EC2 instances. We can associate through ALB (Application Load Balancer) or Cloud Front. For more information, please refer to this URL. https://docs.aws.amazon.com/solutions/latest/aws-waf-security-automations/overview.html
- For demo purposes, we installed IIS in a windows EC2 instance with a simple webpage.
- Also, we have created a VPC with 2 subnets in a different availability zone.
CREATING LOAD BALANCER
- Open the EC2 page and click on the Load Balancer link.
- Click on create the Load Balancer link.
- Then select the load balancer type as Application Load Balancer.
- Provide the name for the load balancer and scheme type as Internet-facing. Also, select the IP address type as IPv4.
- Add the listener type as HTTP 80.
Note: By default, we need two subnets in different availability zone to create ALB (Application Load Balancer)
- Select the availability zones from the list and click Next.
- You can ignore this for testing purposes. Click Next.
- Create (or) select existing network security groups and allow port 80.
- To configure the ALB routing method, create a new target group, target type as Instance, a protocol like HTTP and port as 80. Leave the remaining options as default and move the register targets page.
- Select the instance to add in the registered list and click on Add to the registered button.
- Make sure that your instance is available under Registered Targets.
- Review the settings and click on the create button.
- The load balancer created successfully.
- It will take a few minutes to change the ALB status to active.
- Try to browse the ALB DNS and confirm whether it’s working fine (or) not.
CREATING WEB APPLICATION FIREWALL(WAF)
- Go to AWS services and search for WAF & Shield.
- Click on Go to AWS WAF button.
- Under conditions topic, click on Geo match.
- Click on create condition button.
- Provide a name and select the region where your application load balancer resides. We use Singapore region for this demo.
- Under filter settings, select the country from the drop-down list to allow to access your website. Then click on Add location.
- Confirm the settings and click on create button.
- Geo condition added successfully.
- Now click on Rules option.
- Click on create rule button.
- Provide the Name, Rule type & Region.
- Under conditions select the geographic location. Then click on the create button.
- The rule created successfully.
- Click on Web ACLs link.
- To create a new web ACL, click on create web ACL button.
- Provide a name for Web ACL and select the resource type to associate the web ACL as Application Load Balancer.
- Select the load balancer from the drop-down list and click on Next button.
- Verify the Geo condition has selected then click on the Next button.
- Select the rule from the drop-down list and click on Add rule to web ACL.
- Select the action as per your requirement. For this demo, we select allow option. Then select the default option as Block all requests that don’t match any rules.
- Verify the settings and click on create button.
- Web ACL was created successfully.
- You will able to access the ALB URL from the India region.
- You will get the Forbidden error while trying to access the URL from outside India.
Thanks for reading this blog. We hope it was useful for you to learn about the steps to create WAF to block Geographic restrictions.