AWS WAF (Web application firewall)/Web ACL

LAB

STEP1: CREATE VPC

STEP2: CREATE INTERNET GATEWAY
STEP3: NOW ATTATCH INTERNET GATEWAY TO VPC

STEP4:NOW CREATE SUBNET

STEP5: NOW SUBNETS HAS BEEN CRETAED

STEP6: we need to save association and add rout tables

STEP7: NOW we need to add route so that the subnet can access the internet
.
STEP8: STEPS DONE SO FAR
STEP9:NOW CREATE EC2 INSTANCE

STEP10:NOW WE NEED TO CREATE TARGET GROUP

STEP11: NOW TARGET GROUP IS CREATED

STEP12: NOW CREATE APPLICATION LOAD BALANCER

For this we need to create security group

STEP13: ADD THE SECURITY GROUP AND CLICK ON NEXT

STEP14: LOAD BALANCER has been created

STEP15:NOW we need to create WEB APPLICATION FIREWALL.

Go to AWS CONSOLE and SEARCH FOR WAF

STEP16: NOW CLICK on CREATE WEB ACL

STEP17: NOW WE NEED TO ATTATCH THE LOAD BALANCER
STEP18: NOW add the LOAD BALANCER
STEp19: NOW we need to add rule groups. This is used to allow or deny
access to the EC2 instance
STEp19: To add rules, we need to go to IP SETS

What is an IP Set in AWS?

Simple Explanation

Think of an IP Set in AWS as a "VIP list" or "blacklist" for your website's door
guard. AWS WAF (Web Application Firewall) is like the guard that protects
your web apps from bad traffic. An IP Set is just a reusable list of IP
addresses (like home addresses on the internet) that tells the guard: "Let
these in" or "Block those out." It's super straightforward – no fancy tech
needed; you group IPs together and plug them into your security rules to
control who accesses your site.

In short: IP Sets help you manage groups of IP addresses easily, so you can
allow trusted visitors or block suspicious ones without rewriting rules every
time.

Detailed Explanation

IP Sets are a feature in AWS WAF, which is a service that helps protect your
web applications (like APIs or websites hosted on CloudFront, API Gateway, or
Application Load Balancers) from common attacks like SQL injection or DDoS.
Specifically, an IP Set is an AWS resource that stores a collection of IP
addresses or ranges of IP addresses in CIDR notation (e.g., [Link]/24 for a
block of IPs). These can be IPv4 or IPv6 addresses.

How They Work:

 You create an IP Set and add IPs to it (single IPs like [Link] or
ranges like [Link]/16).

 Then, in your WAF rules (called "rule statements"), you reference this
IP Set. For example:

o IP Set Match Statement: WAF checks if the incoming request's

source IP matches anything in your IP Set.

o If it matches, you can set actions like ALLOW (let it through),

BLOCK (stop it), or COUNT (just log it for monitoring).

 IP Sets are reusable across multiple rules or Web ACLs (Access Control
Lists), making it efficient for large-scale security.

 They support up to thousands of addresses per set (check AWS quotas

for exact limits, like 10,000 for standard sets).
  You can manage them via the AWS Console, CLI, API, or even automate
updates with Lambda functions for dynamic blacklists.

Key Features:

 Scope: Choose "Regional" for services like ALB or API Gateway, or

"Global" for CloudFront (edge locations).

 CIDR Support: AWS WAF handles /1 to /32 for IPv4 and /1 to /128 for
IPv6.

 Integration: Works with other WAF features like rate limiting or

managed rules from AWS.

 Automation: You can auto-update IP Sets with AWS IP ranges or third-

party feeds (e.g., for blocking known bad actors).

Use Cases:

 Whitelisting: Allow only your office IPs to access an admin panel.

 Blacklisting: Block IPs from spammers, bots, or countries you don't

serve (though for geo-blocking, WAF has a separate Geo Match
feature).

 Incident Response: Quickly add attacker IPs to a set during a

security event.

 Compliance: Restrict access to sensitive apps by IP.

Limitations:

 Can't use wildcards or hostnames – only IPs/CIDRs.

 Quotas apply (e.g., max 100 IP Sets per account per region).

 Doesn't inspect encrypted traffic deeply; it's for IP-level matching.

 Costs: Charged based on the number of rules and requests processed

(pay-as-you-go).

This keeps things modular: Instead of hardcoding IPs into every rule, you
update one IP Set, and it applies everywhere.

Mnemonic and Tip for Easy Remembering

Mnemonic: "IP SETS = Internet Protection Super Easy Tool for Security."
Picture a "set" like a Lego set – you build a block of IPs, snap it into your WAF
wall, and it fortifies your app instantly.
Tip: To remember, think of it like setting a dinner table: You "set" the IPs
(plates) in a group, and WAF decides who sits (allows) or gets kicked out
(blocks). Always start small – create one set for testing with your own IP, so
you don't lock yourself out!

Step-by-Step Detailed Example: Creating and Using an IP Set to

Block Malicious IPs

Let's walk through a real-world example: You're running a web app behind an
ALB and want to block traffic from a suspicious IP range (e.g.,
[Link]/24). We'll create an IP Set for blocking, add it to a Web ACL rule,
and associate with the ALB. I'll assume you're using the AWS Management
Console for simplicity (you can also use CLI, SDK, or CloudFormation).

Step 1: Create an IP Set

 Go to the AWS Management Console > Search for "WAF" > Select
"AWS WAF" (make sure you're in the right region, e.g., us-east-1).

 In the left navigation pane, under "AWS WAF", click "IP sets".

 Click "Create IP set".

 Settings:

o Region: Choose "Regional" (for ALB association; use "Global" only

for CloudFront).

o Name: Enter something memorable like "BlockBadIPs".

o Description: "IP ranges to block for security".

o IP version: Select "IPv4" (or IPv6 if needed).

o IP addresses: Add one per line in CIDR format, e.g.,

"[Link]/24" (this blocks 256 IPs in that range).

 Click "Create IP set".

 Tip: Start small—test with your own IP to see blocking in action (but
don't lock yourself out!).

Step 2: Create a Web ACL

 Still in AWS WAF console, in the left pane, click "Web ACLs".

 Click "Create web ACL".

 Settings:
 o Name: "ProtectMyALB".

o Description: "ACL with IP block rule".

o CloudWatch metric name: "ProtectMyALB" (for monitoring).

o Resource type: "Regional resources" (for ALB).

o Associate AWS resources: Skip for now (we'll do this later).

 Click "Next".

 On the "Add rules and rule groups" page, click "Add my own rules and
rule groups".

 Add a Rule:

o Rule type: "Regular rule".

o Name: "BlockBadIPsRule".

o Priority: 1 (lower number = higher priority; rules are evaluated in

order).

o If a request: "Matches the statement".

o Statement: Select "IP set" > Choose your IP Set ("BlockBadIPs")

> IP address to use: "Source IP address" (or "HTTP header" if
using proxies).

o Action: "Block" (this blocks matching IPs; choose "Allow" for

whitelisting).

 Click "Add rule" > Then "Next" through defaults (no need for managed
rules unless you want extras).

 Review and click "Create web ACL".

Step 3: Associate the Web ACL with Your ALB

 In the AWS WAF console, go to your new Web ACL ("ProtectMyALB").

 Click "Associated AWS resources" tab > "Add AWS resources".

 Select "Application Load Balancer".

 Choose your ALB from the list (ensure it's in the same region).

 Click "Add".

 Alternatively, from the Elastic Load Balancing console:

 o Go to EC2 > Load Balancers > Select your ALB.

o In the "Integrated services" tab, under "AWS WAF", click "Edit" >
Choose your Web ACL > Save.

Step 4: Test and Monitor

 Send a test request to your ALB from a blocked IP (use a tool like curl
or a VPN to simulate).

 Expected: Blocked requests get a 403 Forbidden response.

 Monitor: In WAF console, check "Sampled requests" or CloudWatch

metrics for blocked/allowed counts.

 Update: To add/remove IPs, edit the IP Set—it auto-updates the Web

ACL.

 Cleanup Tip: If testing, disassociate the Web ACL first to avoid issues.

Common Pitfalls and Tips

 Region Match: IP Sets and Web ACLs must be in the same region as
your ALB.

 Order Matters: Rules in Web ACL are processed top-to-bottom—put

critical ones (like IP blocks) high priority.

 Fallback Action: Set the default Web ACL action to "Allow" so non-
matching traffic passes through.

 Costs: Minimal—pay per 1,000 requests inspected (~$0.0006) and per

rule (~$1/month).

 Advanced: For automation, use AWS CLI: e.g., aws wafv2 create-ip-set
to script IP updates.

This setup is straightforward and scalable. Remember the "IP Shopping List"
tip, and you'll never forget! If you need more (e.g., regex or geo-blocking),
WAF has those too.

STEP20: NOW create IP SET DETAILS

STEP21: NOW IP SET has been created
STEP22: NOW go to STEP 20 click on ADD RULES and select ADD my OWN
RULES and RULE GROUPS

STEP23: NOW SELECT IP SET

STEP24: ONCE DONE CLICK ON ADD RULE

STEP25: Once you click on ADD rule it will take you to another page

SELECT THE CHECKBOX

STEP26:ONCE DONE CLICK ON NEXT
SLECT THE RADIO BUTTON and click next

STEP27:once you click on next it will take you to another page

CLICK NEXT verify all the details and click on CREATE WEB ACL
STEP28: WEB ACL HAS BEEN CREATED

STEP29: ONCE DONE verify all the details, click on ASSICIATED WEB
resources can check if load balances is associated or not and check the rules