如何通过 CloudFormation 将 AWS WAF 添加到 ALB
How to add AWS WAF to an ALB via CloudFormation
我找不到任何关于如何通过 CloudFormation 将 WAF 与 ALB 相关联的示例或文档。据推测,这条新闻公告 https://aws.amazon.com/about-aws/whats-new/2017/05/cloudformation-support-for-aws-waf-on-alb/ 可能会继续下去,但我没有找到任何可以说明如何进行的内容。使用 CloudFront 而不是 ALB 已得到详细记录,但我还没有找到关于使用 ALB(通过 CloudFormation)的单个示例。
更新:
我不需要一个完整的例子来为我完成整个设置,但至少需要一个片段来指出 WAF 如何知道与 ALB 关联,反之亦然。缺少链接。
为了解决这个问题,我浏览了他们的发布历史并找到了已更新以支持 WAF 和 ALB 的 CloudFormation 资源 http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/ReleaseHistory.html
从那里我能够推断出链接组件是映射 WAF 和 ALB 的 WebACLAssociation。但这也要求您必须使用 WAFRegional 而不是普通的 WebACL。到目前为止,它似乎只意味着在整个代码中将 ::WAF 更改为 ::WAFRegional。
WAFRegional(AWS::WAFRegional::WebACL):
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafregional-webacl.html
"MyWebACL": {
"Type": "AWS::WAFRegional::WebACL",
"Properties": {
"Name": "WebACL to with three rules",
"DefaultAction": {
"Type": "ALLOW"
},
"MetricName" : "MyWebACL",
"Rules": [
{
"Action" : {
"Type" : "BLOCK"
},
"Priority" : 1,
"RuleId" : { "Ref" : "MyRule" }
},
{
"Action" : {
"Type" : "BLOCK"
},
"Priority" : 2,
"RuleId" : { "Ref" : "BadReferersRule" }
},
{
"Action" : {
"Type" : "BLOCK"
},
"Priority" : 3,
"RuleId" : { "Ref" : "SqlInjRule" }
}
]
}
}
WebACLAssociation(AWS::WAFRegional::WebACLAssociation)http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafregional-webaclassociation.html
"MyWebACLAssociation": {
"Type": "AWS::WAFRegional::WebACLAssociation",
"Properties": {
"ResourceArn": { "Ref": "MyLoadBalancer" },
"WebACLId": { "Ref": "MyWebACL" }
}
}
以下是 YAML 格式的示例。
Resources:
WafAcldev:
DependsOn: Whitelist
DependsOn: WafRule
Type: AWS::WAF::WebACL
Condition: CreateDEVResources
Properties:
DefaultAction:
Type: "BLOCK"
MetricName: test
Name: test
Rules:
-
Action:
Type: "ALLOW"
Priority: 1
RuleId: !Ref WafRule
WafRule:
DependsOn: WhitelistIPdev
Type: AWS::WAF::Rule
Condition: CreateDEVResources
Properties:
MetricName: test
Name: test
Predicates:
-
DataId:
Ref: "Whitelist"
Negated: false
Type: "IPMatch"
MyWebACLAssociation:
Type: "AWS::WAFRegional::WebACLAssociation"
Properties:
ResourceArn: arn:aws:elasticloadbalancing:us-east-2:123456789012:listener/app/my-load-balancer/1234567890123456/1234567890123456
WebACLId:
Ref: WafAcldev
Whitelist:
Type: AWS::WAF::IPSet
Condition: CreateDEVResources
Properties:
Name: "IPSet for Whitelisted IP adresses"
IPSetDescriptors:
-
Type: "IPV4"
Value: "213.126.223.11/32"
-
我找不到任何关于如何通过 CloudFormation 将 WAF 与 ALB 相关联的示例或文档。据推测,这条新闻公告 https://aws.amazon.com/about-aws/whats-new/2017/05/cloudformation-support-for-aws-waf-on-alb/ 可能会继续下去,但我没有找到任何可以说明如何进行的内容。使用 CloudFront 而不是 ALB 已得到详细记录,但我还没有找到关于使用 ALB(通过 CloudFormation)的单个示例。
更新: 我不需要一个完整的例子来为我完成整个设置,但至少需要一个片段来指出 WAF 如何知道与 ALB 关联,反之亦然。缺少链接。
为了解决这个问题,我浏览了他们的发布历史并找到了已更新以支持 WAF 和 ALB 的 CloudFormation 资源 http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/ReleaseHistory.html 从那里我能够推断出链接组件是映射 WAF 和 ALB 的 WebACLAssociation。但这也要求您必须使用 WAFRegional 而不是普通的 WebACL。到目前为止,它似乎只意味着在整个代码中将 ::WAF 更改为 ::WAFRegional。
WAFRegional(AWS::WAFRegional::WebACL): http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafregional-webacl.html
"MyWebACL": {
"Type": "AWS::WAFRegional::WebACL",
"Properties": {
"Name": "WebACL to with three rules",
"DefaultAction": {
"Type": "ALLOW"
},
"MetricName" : "MyWebACL",
"Rules": [
{
"Action" : {
"Type" : "BLOCK"
},
"Priority" : 1,
"RuleId" : { "Ref" : "MyRule" }
},
{
"Action" : {
"Type" : "BLOCK"
},
"Priority" : 2,
"RuleId" : { "Ref" : "BadReferersRule" }
},
{
"Action" : {
"Type" : "BLOCK"
},
"Priority" : 3,
"RuleId" : { "Ref" : "SqlInjRule" }
}
]
}
}
WebACLAssociation(AWS::WAFRegional::WebACLAssociation)http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafregional-webaclassociation.html
"MyWebACLAssociation": {
"Type": "AWS::WAFRegional::WebACLAssociation",
"Properties": {
"ResourceArn": { "Ref": "MyLoadBalancer" },
"WebACLId": { "Ref": "MyWebACL" }
}
}
以下是 YAML 格式的示例。
Resources:
WafAcldev:
DependsOn: Whitelist
DependsOn: WafRule
Type: AWS::WAF::WebACL
Condition: CreateDEVResources
Properties:
DefaultAction:
Type: "BLOCK"
MetricName: test
Name: test
Rules:
-
Action:
Type: "ALLOW"
Priority: 1
RuleId: !Ref WafRule
WafRule:
DependsOn: WhitelistIPdev
Type: AWS::WAF::Rule
Condition: CreateDEVResources
Properties:
MetricName: test
Name: test
Predicates:
-
DataId:
Ref: "Whitelist"
Negated: false
Type: "IPMatch"
MyWebACLAssociation:
Type: "AWS::WAFRegional::WebACLAssociation"
Properties:
ResourceArn: arn:aws:elasticloadbalancing:us-east-2:123456789012:listener/app/my-load-balancer/1234567890123456/1234567890123456
WebACLId:
Ref: WafAcldev
Whitelist:
Type: AWS::WAF::IPSet
Condition: CreateDEVResources
Properties:
Name: "IPSet for Whitelisted IP adresses"
IPSetDescriptors:
-
Type: "IPV4"
Value: "213.126.223.11/32"
-