8 Benefits of Combining AWS CloudFront With WAF and Shield
AWS CloudFront, in combination with AWS WAF and Shield, is a powerful CDN and cache for speeding up content delivery and protecting against attacks.
By Pilotcore
Security and performance are always top priorities for any web app. Many users choose to use Amazon CloudFront as their content delivery network (CDN). Namely, because CloudFront allows you to enhance the availability, performance, and security of static and dynamic content.
Amazon CDN is a popular choice. Plus, it does away with bothersome details like the: “Checking your connection before forwarding you to the website” screen often observed with competitors like Cloudflare.
In short, AWS Cloudfront ensures your visitor requests travel a shorter distance. Which means greater responsiveness and fewer lost customers.
One best practice when serving content with CloudFlare is to make sure viewers cannot bypass the CDN to access your origin content directly. This can be achieved by combining it with services such as AWS WAF and Shield.
So, in this post, we’ll take a look at the benefits of such an expansion so your CDN can be set up securely and effectively.
Let’s dive in!
What’s AWS WAF?
AWS WAF is a firewall for web apps. It helps protect your applications from common web exploits that could compromise your site’s security or availability or risk consuming excessive resources. If you’re wondering about EC2 DDoS protection this is the place to start. CloudFront offers tight integration with AWS WAF.
Here’s how it works:
When a viewer accesses your website or app, requests for one or more files (such as images, CSS, JavaScript or HTML files) are sent. Route 53 DNS sends these requests to the CloudFront edge location best suited to serving the request. This is usually the nearest in terms of latency.
AWS WAF will then inspect incoming requests according to your configured web ACL rules at the edge location. These rules might detect and block requests deemed part of a DDoS attack, protect against SQL injection, and many others. Next, CloudFront will check its cache for the requested content.
AWS WAF also contains the request’s header and X-Origin-Verify at the origin Application Load Balancer (ALB). It then blocks the request if the header isn’t valid.
While it doesn’t cover EC2 instances directly, WAF works tightly with the load balancer, so if you’re suffering from AWS ELB DDoS attacks it will help mitigate them. It also integrates with the Secrets Manager. The Secrets Manager protects your content’s security secrets. It does this by rotating the custom header value and updating the AWS WAF and CloudFront configurations.
What’s AWS Shield?
If you require additional protection to AWS WAF, AWS also provides Shield Standard and Shield Advanced. The standard variant is already included at no extra cost when you decide to combine CloudFront with AWS WAF and your other AWS services.
Advanced Shield provides expanded DDoS attack protection, especially important for your Amazon EC2 instances, as well as CloudFront distributions and Route 53 hosted zones.
Note: CloudFront with Route 53 for DNS management is a smarter solution than splitting your architecture between AWS and other DNS services. This is because with Route53 you can take advantage of the power of the Alias record. This is an AWS-only record type that enables pointing the root of your DNS zone to the DNS names of AWS resources such as load balancers and CloudFront distributions and this is essential for scaling and availability in AWS. By contrast, CNAME records don’t work on the root of DNS zones.
AWS Shield allows you to add protection to the following resource types:
- Amazon CloudFront distributions
- Amazon Route53 hosted zones
- AWS Global Accelerator accelerators
- Application load balances
- Elastic Load Balancing (ELB)
- Amazon elastic compute cloud (Amazon EC2) Elastic IP addresses
The Benefits of Combining AWS Cloudfront with AWS WAF and Shield
You Gain Additional Control Over Access Behaviors
AWS WAF doesn’t function entirely passively. You can also configure which profiles of requests you wish to grant access to your application. You can choose to allow or block all requests except for those you specify.
You can also count the requests that match that specification before you deploy a rule, so you don’t accidentally filter out all of your traffic. You can define secure requests via several metrics, including:
- IP addresses
- Country of origin
- Length of the request
- Strings that appear
- The presence of SQL code or scripts that are likely to be malicious
…To name a few.
Reuse Rules for Multiple Web Applications
Ensuring security across the board of your web applications is made easy because you can reuse the conditions you set with AWS WAF across multiple applications. This applies whether your web applications provide dynamic or static content.
This saves time if you want to get started with new websites quickly. Managed rules are automatically updated when new issues emerge so that you can focus your efforts on building applications.
You can improve your web applications’ performance, security, and availability using AWS Cloudfront, which will speed up the distribution of your web content via a network of data centers. These are called ‘edge locations.‘
Full Feature API
AWS WAF can be administered entirely via APIs. This means that organizations can maintain and create rules during the development and design process.
In other words, you can save yourself the often complex handoffs between application and security teams. Developers who have detailed knowledge of the web application can create security roles hand in hand with the deployment process.
Respond Fast and Flexibly
AWS WAF allows you to have an agile response to new threats. This is key to defending against modern web attacks. With AWS WAF, you can implement and update rules quickly and on-demand.
You can update the security of the entire environment, even during security incidents. New rules can be implemented within just a minute, so if you’re dealing with a threat, your team can act immediately.
Easy to Deploy and Maintain
If you’re considering AWS WAF in addition to your Amazon Cloudfront setup, you’ll find that deployment and maintenance are straightforward. You can deploy them as part of your CDN solution, the Application Load Balancer, Amazon API Gateway, or AWS App Sync.
You don’t need to deploy any additional software. Nor do you have to update your DNS configuration, manage an SSL/TLS certificate or reverse your proxy setup.
Protect Against DDoS Attacks
At their core, Shield and AWS WAF are especially helpful in mitigating common, frequently occurring network and transport layer DDoS attacks. The shield can protect against all known infrastructure attacks to layers 3 and 4 if you are using it in conjunction with Amazon CloudFront and Route53.
If you opt into Shield Advanced, this will cost you more, but you can protect against larger DDoS events. Shield Advanced automatically deploys your network ACLs to the border of the AWS network during an attack.
Shield Advanced benefits from the assistance of the DRT, including intelligent DDoS attack detection and mitigation for layer 3 and layer 4 attacks and attacks on the application layer (layer 7).
If, however, you go for AWS Shield Standard, this is automatically included in your package and doesn’t cost anything more on top of what you’re already paying for AWS WAF and other AWS services.
Web Traffic Visibility - in Real-Time
AWS WAF provides near real-time visibility into your web traffic. This can allow you to create new rules or alerts in Amazon CloudWatch. You have full control over how the metrics are emitted.
As such, you can easily monitor everything from the rule level to the total inbound traffic for your app. AWS WAF also offers comprehensive logging. It captures each inspected web request’s full header data for security automation, analytics and auditing.
A Cost-Effective Firewall
AWS WAF only requires you to pay for what you use and provides a customizable self-service offering. Pricing hinges on how many rules you deploy and web requests you receive. Let’s not forget that this automatically grants you access to AWS Shield.
This offers you comprehensive base-level protection against the majority of attacks. Using complementary services like this is a great way to get the most out of your IT budget.
The AWS Firewall Manager makes your maintenance and admin tasks much easier when you’re working across multiple accounts, AWS Shield Advanced protection, and Amazon VPC security groups.
The Firewall Manager service applies all your security protections and rules automatically, including when you add new resources and accounts.
Combine AWS CloudFront with AWS WAF and Shield for Extra Resilience
In most cases, deploying AWS Shield Standard in conjunction with AWS WAF and a combination of other AWS Services is sufficient at mitigating most attacks. This quickly creates an in-depth defence strategy.
Using AWS CloudFront with these services ensures that these tightly integrated tools can work together and unlock their full benefit.
Suppose you’re unsure how to proceed in protecting your app and improving its performance and availability.
In that case, we might be able to help.
Ready to Elevate Your Business?
Discuss your cloud strategy with our experts and discover the best solutions for your needs.