1

Basically my question is: Based on what I've read, my impression was that the flow goes ALB -> WAF, not WAF -> ALB, since the ALB is the one listening on the public IP and you can't have a WAF without an ALB (unless you're doing it through CloudFront). Is this true? When checking other designs WAF always comes first and then the ALB. So im not clear on whats happening at network level.

I would like to have a detailed explanation if possible with doc source.

Thanks,

apokryfos
  • 38,771
  • 9
  • 70
  • 114
gcg27
  • 77
  • 2
  • 8

1 Answers1

2

Found the answer: "“As the underlying service receives requests for your web sites, it forwards those requests to AWS WAF for inspection against your rules. Once a request meets a condition defined in your rules, AWS WAF instructs the underlying service to either block or allow the request based on the action you define.” From the statement, packets will hit your ALB first, and forwarded to WAF, which in turn would inspect the request/packet before giving a verdict based on your defined rules.

gcg27
  • 77
  • 2
  • 8
  • Well, thats some confusing question and confusing answer to itself, WAF doesn't have any public IP whether it's ALB or CloudFront, both in ALB(data plane ec2s) and CloudFront (POP) receives request and forward it to waf servers and gets a result back and proceed further. – James Dean Mar 28 '21 at 14:59
  • https://aws.amazon.com/waf/faqs/ "How does AWS WAF block or allow traffic?" – Alexander Feb 03 '22 at 16:52