如何通过 cloudformation 允许某些 IP 集资源使用我的 WAF v2?
How to allow certain IP set resource with my WAF v2 via cloudformation?
针对这个问题设计的例子,基于aws文档,我使用WAF定义了一个WAFv2资源类型,一个规则和IP集列表。以下工作正常,它阻止了我指定的 IP,但如何允许某些 IP 列表并阻止所有其他 IP?
Resources:
WebAcl:
Type: AWS::WAFv2::WebACL
Properties:
Name: sample-acl
Scope: REGIONAL
Description: sample ACL.
DefaultAction:
Allow: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: sample-acl
Rules:
- Name: blockIPList
Priority: 4
Action:
Block: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: IPListMetric
Statement:
IPSetReferenceStatement:
Arn: !GetAtt myIPSet.Arn
myIPSet:
Type: 'AWS::WAFv2::IPSet'
Properties:
Name: sampleIPlistIPv4
Scope: REGIONAL
IPAddressVersion: IPV4
Addresses:
- 70.25.14.172/32
在 CloudFront 分配上启用它
CloudFront:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
WebACLId: !GetAtt ExampleWebACL.Arn
或者对于 ALB 或 API 网关,您可以使用 https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-webaclassociation.html
Type: AWS::WAFv2::WebACLAssociation
Properties:
ResourceArn: String
WebACLArn: String
编辑:
您的意思是您如何在规则组中启用 IPSet 吗?
RuleGroup:
Type: 'AWS::WAFv2::RuleGroup'
Properties:
Name: SampleRuleGroup
Scope: REGIONAL
Description: SampleRuleGroup
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: SampleRuleGroupMetrics
Rules:
- Name: ip-whitelist
Priority: 0
Action:
Allow: { }
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: ip-whitelist-metric
Statement:
IPSetReferenceStatement:
Arn: !GetAtt SampleIPSet.Arn
针对这个问题设计的例子,基于aws文档,我使用WAF定义了一个WAFv2资源类型,一个规则和IP集列表。以下工作正常,它阻止了我指定的 IP,但如何允许某些 IP 列表并阻止所有其他 IP?
Resources:
WebAcl:
Type: AWS::WAFv2::WebACL
Properties:
Name: sample-acl
Scope: REGIONAL
Description: sample ACL.
DefaultAction:
Allow: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: sample-acl
Rules:
- Name: blockIPList
Priority: 4
Action:
Block: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: IPListMetric
Statement:
IPSetReferenceStatement:
Arn: !GetAtt myIPSet.Arn
myIPSet:
Type: 'AWS::WAFv2::IPSet'
Properties:
Name: sampleIPlistIPv4
Scope: REGIONAL
IPAddressVersion: IPV4
Addresses:
- 70.25.14.172/32
在 CloudFront 分配上启用它
CloudFront:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
WebACLId: !GetAtt ExampleWebACL.Arn
或者对于 ALB 或 API 网关,您可以使用 https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-webaclassociation.html
Type: AWS::WAFv2::WebACLAssociation
Properties:
ResourceArn: String
WebACLArn: String
编辑: 您的意思是您如何在规则组中启用 IPSet 吗?
RuleGroup:
Type: 'AWS::WAFv2::RuleGroup'
Properties:
Name: SampleRuleGroup
Scope: REGIONAL
Description: SampleRuleGroup
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: SampleRuleGroupMetrics
Rules:
- Name: ip-whitelist
Priority: 0
Action:
Allow: { }
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: ip-whitelist-metric
Statement:
IPSetReferenceStatement:
Arn: !GetAtt SampleIPSet.Arn