hvital
commented
5 years ago Hi @jgeurts.
For critical application I would suggest to have WAF on both layers (as you might have different throttling thresholds, for example).
If you gonna apply the same rules, you can use WAF on ALB just to enforce that the request is coming from your CloudFront distribution. This blog post shows one way to implement that: https://www.metaltoad.com/blog/how-to-protect-origin-with-aws-waf-shield
It's also recommended to keep the ALB security group updated to just accept requests just from CloudFront IPs. This post describes how to do that and keep the SG updated: https://aws.amazon.com/blogs/security/how-to-automatically-update-your-security-groups-for-amazon-cloudfront-and-aws-waf-by-using-aws-lambda/
Does it answer your question?
jgeurts
Curious if you have a suggestion of best practice to use the WAF security automation with CloudFront pointing at a ALB instance?
Should I install the WAF security automations only on the ALB, only on CloudFront, or on both CloudFront and the ALB?
Leaning toward CloudFront & ALB since an attacker could potentially see the cname value that CloudFront uses.
Thanks for any insight/suggestions!
btw, if this is better asked at stackoverflow or similar, I'm happy to move it there