Monitor both(ALB and CloudFront) with single solution

[kstro21]

I have deployed version 3 of the solution, but it seems the parameter EndpointType limits the resource we can monitor choosing between CloudFront and ALB. I've reviewed the template aws-waf-security-automations-firehose-athena.template and there are conditions for creating the AWS::Glue::Table, exactly one for ALB or one for CloudFront, not both.

Describe the feature you'd like I would like to monitor both(ALB and CloudFront) with a single solution. Is it possible? If I set EndpointType=CloudFront can I monitor also ALB resources or do I need to create one stack for each EndpointType?

[aijunpeng]

Thanks for your comments. The out-of-box solution is designed to support one endpoint per solution deployment within the same region and account. Therefore you will need to deploy one stack for each endpoint to different region/account, if you want to use the out-of-box solution.

[kstro21]

@aijunpeng thanks for answering.

How many CloudFront distributions can I monitor with the out-of-box solution?

[aijunpeng]

For http flood feature, you can associate one CF distribution to the WebACL. For scanner&probes feature, there is no restriction on the number of CF distributions as the solution processes all CF logs that are in your application access log bucket.

[kstro21]

Thanks again, @aijunpeng

What is the best approach for dealing with multiple Distributions if I want to enable all of the protections?

1. Creating a stack for each Distribution?
2. Creating a unique stack and associate all the Distributions?
3. Creating one stack containing only the flood feature per each Distribution I want to use flood protection on. Then creating another stack with all the features enabled except the flood protection and associate all of the Distributions with it?

I'm a little bit confused, would you mind giving me a piece of advice?

[aijunpeng]

I double checked and realized that WAF service actually allows you to attach one or more distributions to one WebACL. I apologize for my previous mistake. check out https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-associating-aws-resource.html

[anandshivam44]

@kstro21 There is a limitation with the WAF CLOUDFRONT deployment. It can only be deployed in the us-east-1 region. So basically this limitation prevents the template from being an all-around design i.e. ALB, and CloudFront both in the same stack.