Jump to content


Photo

WAF - Basic Setup Guide for AWS

WAF AWS

  • Please log in to reply
7 replies to this topic

#1 NestorAcevedo

NestorAcevedo
  • Members
  • 20 posts

Posted 27 January 2015 - 04:15 PM

Hi. I'm newbie  in Barracuda Web Application Firewall.

 

I've just read the BWAF Guide but I have the following scenario:

 

VPC, IGW, ELB, APP Servers

 

I put the BAFW EC2 just behind IGW but obviously some APP Servers (inside subnets) are EB another are EC2 with Elastic IP (including BWAF) and some EC2 are multisite. Some APP are drupal multisites.

 

so my question is how would be a basic setup (maybe IP Configuration, Network Advanced and services creations) for filtering or pass traffic from internet to my apps?

 

thanks in advance.


Edited by NestorAcevedo, 27 January 2015 - 04:18 PM.


#2 Jeff Johnson

Jeff Johnson
  • Barracuda Team Members
  • 4 posts

Posted 29 January 2015 - 04:47 AM

Hi Nestor,

 

Sorry for the delay.  You should be able to put the WAF between the ELB and your App servers.  Typically there would be 2 WAFs in an active/active cluster for availability being load balanced by the ELB.  The WAFs would secure, load balance and maintain persistence (if required) for traffic going to the App servers.

 

Thanks,

Jeff



#3 NestorAcevedo

NestorAcevedo
  • Members
  • 20 posts

Posted 29 January 2015 - 05:41 PM

Hi. OK don't worry thanks for your reply. Good, another case what is asking me is if this WAF is instanced in other VPC could I to make a VPC peering to pass traffic through WAF's VPC?

 

Thanks in advance.



#4 NestorAcevedo

NestorAcevedo
  • Members
  • 20 posts

Posted 29 January 2015 - 05:45 PM

Another question (I cannot edit the last one): suppose I put the WAF between ELB and server apps, how do I verify if the WAF is tracking all traffic?



#5 Jeff Johnson

Jeff Johnson
  • Barracuda Team Members
  • 4 posts

Posted 13 February 2015 - 08:34 AM

Hi Nestor,

 

Sorry for the delay.  In this configuration the ELB would only send traffic to the WAF.  The WAF would in turn receive all the traffic and load balance that traffic to the server apps.  



#6 NestorAcevedo

NestorAcevedo
  • Members
  • 20 posts

Posted 24 February 2015 - 10:47 AM

Hi, sorry for my delay. Thanks for the answer. 

 

For that case, Unfortunely I have created the VPC in the wizard with an only one public subnet (obviously with more than one ec2/eb has more than one public subnet) and the other VPC with the same conditions, so in this case which would be the best method to put the Barracuda to receive internet traffic? Should I do what you mentioned in your last answer?

 

Thanks in advance.

 

Regards.



#7 Vlad Andrei

Vlad Andrei
  • Members
  • 4 posts

Posted 24 April 2015 - 01:13 PM

As some of you may already know, AWS has several Layer 2 networking limitations (such as VLAN tagging, Gratuitous ARP, multicast) as well as inability to use IPv6.

 

In addition, the networking configuration is often times challenging to port from existing private data centers.

 

We have been able to solve both of these issues, which makes it much easier to set up training, demo, POCs, upgrade testing environments in AWS/Google.

 

A blog article explaining how to run existing Barracuda on AWS/Google can be found here: http://www.ravellosystems.com/blog/barracuda-firewalls-in-aws/



#8 NestorAcevedo

NestorAcevedo
  • Members
  • 20 posts

Posted 15 July 2015 - 04:01 PM

Hi, one more time it's me. I have a big question: how can I protect Elastic Beanstalk app which has autoscaling group with Barracuda?

 

I can pass traffic from WAF to fixed servers with fixed Elastic IP but I'm inquiring and needing some knowledge for Elastic Beanstalk with autoscaling where obviously no EIP is asigned but else is set for the ELB.

 

Regards