-1

this is a question for someone who has experience in Barracuda an AWS EB

If I have a VPC with single public subnet and I want to protect a EB with this WAF, how is the better mode to procced?

Regards

Néstor
  • 103
  • 1
  • good, actually at first time putting elb address as server. Elastic beanstalk apps are in autoscaling groups so I don't know how to put as an "only" server in waf services. Currently I don't have any EB app crossing by Barracuda. – Néstor Jul 15 '15 at 21:57

1 Answers1

0

Barracuda WAF has some issues, I had to create a large set of virtual private IPs to use the WAF successfully & it can't auto-add servers from an auto scaling group.

It's best to put the WAF in front of the ELB of the autoscaling group instead. That relies on static IPs but is otherwise quite good. Make sure to use an instance type large enough for your bandwidth needs.

JennaKO
  • 16
  • 1
  • Thank you for your answer now my question based in your answer is how I set the service in the waf? – Néstor Jul 15 '15 at 22:54
  • They're added in via the WAF's Web interface. It should handle being the HTTPS end point so it can decrypt and scan incoming traffic. – JennaKO Jul 16 '15 at 17:17
  • ok I know it is via web interface. what I mean is how to add such service being an EB :) – Néstor Jul 18 '15 at 01:41
  • @Néstor Ok! The Barracuda unfortunately only takes IP addresses for its services, so the trick is getting your EB to use a single static IP the Barracuda can track. That is done using a VPC with private and public IPs and explained a bit better here: https://stackoverflow.com/questions/26390610/static-ip-using-elastic-beanstalk – JennaKO Jul 19 '15 at 16:43
  • So is doing al EB single instances – Néstor Jul 19 '15 at 18:12
  • It can be done via either single instances with an EIP assigned, or ELB instances with an EIP. – JennaKO Jul 19 '15 at 18:14
  • hum.. I understand. So putting a EIP in an oldest instance from autoscaling and changing termination policies in the autoscaling group to **newest instance** is more or less what you say? but then I have to put the additional intances' internal IP in the same service when the EB is scaled to more than one instance? – Néstor Jul 21 '15 at 03:26