← Back to Labs
Advanced01:00:00

Blocking web traffic with WAF in AWS

Task 1Task 2Task 3Task 4Task 5Task 6Task 7Task 8Task 9Task 10
Task 1

Task 1: Sign in to the AWS Management Console

↑ Top
  1. Click on the open console button, and you will get redirected to the AWS Console in a new browser tab.
  2. On the AWS sign-in page, Leave the Account ID as default. Never edit/remove the 12-digit Account ID present in the AWS Console. otherwise, you cannot proceed with the lab. Now copy your User Name and Password in the Lab Console to the IAM Username and Password in the AWS Console and click on the Sign in button.
  3. On the AWS sign-in page,
  4. Leave the Account ID as default. Never edit/remove the 12-digit Account ID present in the AWS Console. otherwise, you cannot proceed with the lab.
  5. Now copy your User Name and Password in the Lab Console to the IAM Username and Password in the AWS Console and click on the Sign in button.
  6. Once Signed In to the AWS Management Console, Make the default AWS Region as US East (N. Virginia) us-east-1.
  7. Select Maybe later in the New AWS Console Home page pop-up
Task 2

Task 2: Creating a Security group for the Load balancer

↑ Top
  1. Navigate to the EC2 Dashboard and scroll down to Security Groups. In the left menu, click on Create security group.
  2. Configure the security group as follows:
  3. Security group name: Enter LoadBalancer-SG
  4. Description: Enter Security group for the Load balancer
  5. VPC: Leave as default
  6. In Inbound rules, Click on Add Rule and add the port as follows.
  7. Type: Select HTTP
  8. Protocol: TCP
  9. Port range: 80
  10. Source: Select Anywhere-IPv4, and enter 0.0.0.0/0
  11. Once you provide the above details, click on Create and the security group for the load balancer will be created.
Task 3

Task 3: Steps to create the Web-servers

↑ Top
  1. Make sure you are in the US East (N. Virginia) Region.
  2. Navigate to Instances on the left panel and click on Launch instance.
  3. Name: Enter webserver-A
  4. For Amazon Machine Image (AMI): Search for Amazon Linux 2023 kernel-6.1 AMI in the search box and click on the select button.
  5. Task 3: Steps to create the Web-servers
  6. Instance Type: Select t2.micro
  7. Task 3: Steps to create the Web-servers
  8. For Key pair: Select Create a new key pair Button Key pair name: WhizKey Key pair type: RSA Private key file format: .pem
  9. For Key pair: Select Create a new key pair Button
  10. Key pair name: WhizKey
  11. Key pair type: RSA
  12. Private key file format: .pem
  13. Select the Create key pair Button.
  14. In Network Settings Click on the Edit button:
  15. Auto-assign public IP: Enable
  16. Choose Create security group Name: Enter webserver-SG Description: Enter security group for the webserver
  17. Choose Create security group
  18. Name: Enter webserver-SG
  19. Description: Enter security group for the webserver
  20. To add HTTP Click on Add security group rule Choose Type: Select HTTP Source Type: Custom Source: Choose LoadBalancer-SG
  21. To add HTTP Click on Add security group rule
  22. Choose Type: Select HTTP
  23. Source Type: Custom
  24. Source: Choose LoadBalancer-SG
  25. To add SSH Choose Type: Select SSH Source: Choose Anywhere
  26. To add SSH
  27. Choose Type: Select SSH
  28. Source: Choose Anywhere
  29. Click on Advanced Details.
  30. Under the User data section, enter the following script to create an HTML page served by an Apache HTTPD web server.
  31. Click on Launch Instances.
  32. After a few minutes, you will see a new instance named webserver-A running.
  33. Repeat the above steps to create Webserver-B by selecting the existing security group webserver-SG providing the following details.
  34. Kindly select the same key-pair (as in you have created for previous instance (Webserver-A) to Webserver-B instance.
  35. Navigate to the EC2 Dashboard to find the two instances (webserver-A and webserver-B) running.
  36. Task 3: Steps to create the Web-servers
Task 4

Task 4: Creating a Load balancer

↑ Top
  1. In the EC2 Console, Navigate to Target Groups, present in the left panel under Load Balancing.
  2. Click on the Create target group.
  3. For Step 1, Specify group details
  4. Under Basic configurations, Choose a target group: Choose Instances Target group name: Enter web-server-TG
  5. Under Basic configurations,
  6. Choose a target group: Choose Instances
  7. Target group name: Enter web-server-TG
  8. Keep all the settings as default.
  9. Health check protocol: HTTP
  10. Health check path: Enter /index.html
  11. Scroll to the end of the page and click on the Next button.
  12. For Step 2, Register targets Select both instances and click on the Include as pending below button. Instances will be present in the Review targets part, having health status as Pending. Click on the Create target group button.
  13. For Step 2, Register targets
  14. Select both instances and click on the Include as pending below button.
  15. Instances will be present in the Review targets part, having health status as Pending.
  16. Click on the Create target group button.
  17. The Target group is now created.
  18. In the EC2 console, navigate to Load balancers in the left-side panel.
  19. Click on create load balancer at the top-left to create a new load balancer for our web servers.
  20. Select Load Balancer Type: Under the Application load balancer, click on the Create button.
  21. To create an Application load balancer, configure the load balancer as below For the Basic configuration section, Name: Enter Web-server-LB Scheme: Select Internet-facing IP address type: Choose IPv4 For the Network mapping section: VPC: Select Default Mappings: Select all the Availability zones present For the Security groups section, Select the LoadBalancer-SG Security group from the dropdown and remove the default security group. For the Listeners and routing section, The listener is already present with Protocol HTTP and Port 80. Select the target group web-server-TG for the Default action forwards to option.
  22. To create an Application load balancer, configure the load balancer as below
  23. For the Basic configuration section, Name: Enter Web-server-LB Scheme: Select Internet-facing IP address type: Choose IPv4
  24. For the Basic configuration section,
  25. Name: Enter Web-server-LB
  26. Scheme: Select Internet-facing
  27. IP address type: Choose IPv4
  28. For the Network mapping section: VPC: Select Default Mappings: Select all the Availability zones present
  29. For the Network mapping section:
  30. VPC: Select Default
  31. Mappings: Select all the Availability zones present
  32. For the Security groups section, Select the LoadBalancer-SG Security group from the dropdown and remove the default security group.
  33. For the Security groups section,
  34. Select the LoadBalancer-SG Security group from the dropdown and remove the default security group.
  35. For the Listeners and routing section,
  36. The listener is already present with Protocol HTTP and Port 80. Select the target group web-server-TG for the Default action forwards to option.
  37. The listener is already present with Protocol HTTP and Port 80.
  38. Select the target group web-server-TG for the Default action forwards to option.
  39. Keep the tags as default and click on the Create load balancer button.
  40. You have successfully created the Application Load balancer. Click on the View load balancers button.
  41. Wait for 2 to 3 minutes for the load balancer to become Active.
  42. Task 4: Creating a Load balancer
Task 5

Task 5: Testing the Load Balancer

↑ Top
  1. Navigate to Load Balancers and select the load balancer that you created. Under details scroll down you will be able to see the DNS name, copy the DNS name and paste it into the browser
  2. Task 5: Testing the Load Balancer
  3. Refresh the browser a few times and you will see the request is serving from both servers. You will see the output as RESPONSE COMING FROM SERVER A & RESPONSE COMING FROM SERVER B. This shows that load is shared between the two web servers via the Application Load Balancer.Note: Remove 's' from the https in the dns name if you couldn't able to see the webpage.
  4. Refresh the browser a few times and you will see the request is serving from both servers. You will see the output as RESPONSE COMING FROM SERVER A & RESPONSE COMING FROM SERVER B. This shows that load is shared between the two web servers via the Application Load Balancer.
  5. Note: Remove 's' from the https in the dns name if you couldn't able to see the webpage.
  6. Task 5: Testing the Load Balancer
Task 6

Task 6: Creating an IP set

↑ Top
  1. Click on services and select WAF & Shield under the Security, Identity, & Compliance section.
  2. On the left side, you will be able to see the IP sets menu. Click on IP sets and click on Create IP sets.
  3. On the next screen, fill out the following details under Create IP set.
  4. IP set details: IP set name: Enter MyIPset Description: Enter IP set to block my public IP Region: Select US EAST (N.Virginia ) IP Version: Select IPv4 IP address: Enter the IP of your local network/32 from https://www.whatismyip.com/. Note: You have to give /32 after the IP is pasted or else you won't be able to create an IP set.
  5. IP set details:
  6. IP set name: Enter MyIPset
  7. Description: Enter IP set to block my public IP
  8. Region: Select US EAST (N.Virginia )
  9. IP Version: Select IPv4
  10. IP address: Enter the IP of your local network/32 from https://www.whatismyip.com/.
  11. Note: You have to give /32 after the IP is pasted or else you won't be able to create an IP set.
  12. Once you have provided the above details, click on Create IP set
Task 7

Task 7: Creating a Web ACL

↑ Top
  1. Web ACL details
  2. Navigate to the AWS WAF dashboard and scroll down and select Switch to the Old WAF Console. Click on Create web ACL to create a new web ACL.
  3. Navigate to the AWS WAF dashboard and scroll down and select Switch to the Old WAF Console.
  4. Task 7: Creating a Web ACL
  5. Click on Create web ACL to create a new web ACL.
  6. Task 7: Creating a Web ACL
  7. Configure the ACL as below: Web ACL details
  8. Configure the ACL as below:
  9. Web ACL details
  10. Resource type: Select Regional resources (Application Load Balancer and API Gateway)
  11. Region: Select US EAST (N.Virginia)Name: Enter MywebACLDescription: Enter ACL to block my public IP
  12. Region: Select US EAST (N.Virginia)
  13. Name: Enter MywebACL
  14. Description: Enter ACL to block my public IP
  15. Task 7: Creating a Web ACL
  16. To associate an AWS resource, click on Add AWS resources
  17. In Add AWS resources select Application Load Balancer and select the name of ALB. Click on Add
  18. Task 7: Creating a Web ACL
  19. Lastly, click on the Next button
  20. Add rules and rule groups
  21. Under Rules click on Add rule and select Add my own rules and rule groups in the drop-down menu.
  22. Task 7: Creating a Web ACL
  23. In Rule type select IP set as shown below and fill in the details as given below: Rule type: Select IP set Name: Enter MywebACL-rule IP set: select the IP set created Above ( MyIPset ) IP address to use as the originating address: Source IP address Action: Select Block
  24. In Rule type select IP set as shown below and fill in the details as given below:
  25. Rule type: Select IP set
  26. Name: Enter MywebACL-rule
  27. IP set: select the IP set created Above ( MyIPset )
  28. IP address to use as the originating address: Source IP address
  29. Action: Select Block
  30. Once you provide the above details, click on the Add rule.
  31. Task 7: Creating a Web ACL
  32. Lastly, click on the Next button
  33. Set rule priority
  34. Leave as default and click on Next.
  35. Configure metrics
  36. Leave as default and click on Next.
  37. Review and create web ACL
  38. Review all your inputs and click on Create web ACL
  39. Wait for 1 to 2 minutes until you will see that your web ACL is successfully created.
  40. Task 7: Creating a Web ACL
  41. You have successfully created a web ACL for ALB with the help of an IP set created with your public IP.
Task 8

Task 8: Testing the working of the WAF

↑ Top
  1. To test the WAF, navigate to Load Balancers from the EC2 left menu under the sub-heading Load balancing
  2. Under the Load balancer section, select the Application load balancer Web-server-LB.
  3. Copy the DNS name Under details scroll down you will be able to see the DNS name copy it and paste it in your desired browser.
  4. Example: web-server-lb-1903855210.us-east-1.elb.amazonaws.com
  5. Task 8: Testing the working of the WAF
  6. You will get a 403 forbidden error showing that WAF blocked your connection to ALB.
  7. Task 8: Testing the working of the WAF
Task 9

Task 9: Unblocking the IP

↑ Top
  1. Click on services and select WAF & Shield under the Security, Identity, & Compliance section.
  2. On the left side, Click IP sets menu.
  3. To unblock the IP, navigate to IP sets and click on MyIPset. Select your public IP and then click on Delete
  4. Task 9: Unblocking the IP
  5. Type delete in the confirmation box and click on Delete.
  6. You have successfully removed the IP from WAF.
  7. Wait for a few minutes.
  8. Navigate to Load Balancers from the EC2 left menu under the sub-heading Load balancing
  9. Under the Load balancer section, select the Application load balancer Web-server-LB.
  10. Copy the DNS name under Description and paste it into your desired browser.
  11. Example: web-server-lb-1903855210.us-east-1.elb.amazonaws.com
  12. You will get the response from the web servers either stating RESPONSE COMING FROM SERVER A or RESPONSE COMING FROM SERVER B as shown below:
  13. Task 9: Unblocking the IP
  14. Web Application Firewall (WAF): A Web Application Firewall is a security service that sits between a web application and its users, inspecting and filtering incoming web traffic. In the context of AWS, the AWS WAF service provides this functionality. It helps protect web applications by examining HTTP/HTTPS requests and applying a set of predefined rules or custom rule configurations to block, allow, or filter traffic based on specified criteria.
Task 10

Task 10: Validation Test

↑ Top
  1. Once the lab steps are completed, please click the validation button on the right side panel.
  2. This will validate the resources in the AWS account and display whether you have completed this lab successfully or not.
  3. Sample output :
  4. Task 10: Validation Test
  5. You have successfully created an IP set using your public IP.
  6. You have successfully created a web ACL rule using an IP set and application load balancer (ALB).
  7. You have successfully tested the working of the ALB after implementing a WAF, blocking the web request to the ALB from your local network.
  8. You deleted the IP set and tested the working of the ALB.
  9. Sign out from the AWS Account.
  10. You have successfully completed the lab.
  11. Once you have completed the steps click on end Lab from the lab console
← Back to Labs