如何通过CloudFormation将AWS WAF添加到ALB
[英]How to add AWS WAF to an ALB via CloudFormation
问题描述
I can't find any examples or documentation on how to associate a WAF with an ALB via CloudFormation . 
我找不到任何关于如何通过CloudFormation将WAF与ALB相关联的示例或文档。 Supposedly its possible going by this news announcement https://aws.amazon.com/about-aws/whats-new/2017/05/cloudformation-support-for-aws-waf-on-alb/ but there isn't anything I've found that shows how. 据说可能通过这个新闻公告https://aws.amazon.com/about-aws/whats-new/2017/05/cloudformation-support-for-aws-waf-on-alb/,但没有任何东西我发现这表明如何。 Using CloudFront instead of ALB is well documented but I haven't found a single example with regard to using an ALB (via CloudFormation). 使用CloudFront而不是ALB已有详细记录,但我没有找到关于使用ALB(通过CloudFormation)的单个示例。
Update : I dont need a full example that does the entire setup for me but at least a snippet that points out how the WAF will know to associate with the ALB or vice versa. 更新 :我不需要一个完整的示例来为我完成整个设置,但至少需要一个片段来指出WAF如何知道与ALB关联,反之亦然。 The linking is whats missing. 链接是什么缺失。
2 个解决方案
解决方案1
16 已采纳 2017-08-02 21:13:11
To solve this I browsed through their release history and found the CloudFormation resources that were updated to support WAF & ALB http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/ReleaseHistory.html From there I was able to deduce that the linking component is a WebACLAssociation that maps WAF and ALB. 为了解决这个问题,我浏览了他们的发布历史,发现了更新的CloudFormation资源,以支持WAF和ALB http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/ReleaseHistory.html从那里我能够推断出链接组件是映射WAF和ALB的WebACLA协会。 But this also requires that instead of a normal WebACL you must use the WAFRegional. 但这也要求您必须使用WAFRegional而不是正常的WebACL。 So far it seems to only mean changing ::WAF to ::WAFRegional throughout your code. 到目前为止,它似乎只意味着在整个代码中将:: WAF更改为:: WAFRegional。
WAFRegional (AWS::WAFRegional::WebACL): http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafregional-webacl.html WAFRegional (AWS :: WAFRegional :: WebACL): http ://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafregional-webacl.html
"MyWebACL": {
"Type": "AWS::WAFRegional::WebACL",
"Properties": {
"Name": "WebACL to with three rules",
"DefaultAction": {
"Type": "ALLOW"
},
"MetricName" : "MyWebACL",
"Rules": [
{
"Action" : {
"Type" : "BLOCK"
},
"Priority" : 1,
"RuleId" : { "Ref" : "MyRule" }
},
{
"Action" : {
"Type" : "BLOCK"
},
"Priority" : 2,
"RuleId" : { "Ref" : "BadReferersRule" }
},
{
"Action" : {
"Type" : "BLOCK"
},
"Priority" : 3,
"RuleId" : { "Ref" : "SqlInjRule" }
}
]
}
}
WebACLAssociation (AWS::WAFRegional::WebACLAssociation) http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafregional-webaclassociation.html WebACLAssociation (AWS :: WAFRegional :: WebACLAssociation) http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafregional-webaclassociation.html
"MyWebACLAssociation": {
"Type": "AWS::WAFRegional::WebACLAssociation",
"Properties": {
"ResourceArn": { "Ref": "MyLoadBalancer" },
"WebACLId": { "Ref": "MyWebACL" }
}
}
解决方案2
0 2019-08-09 15:36:26
Below is the example in YAML format. 以下是YAML格式的示例。
Resources:
WafAcldev:
DependsOn: Whitelist
DependsOn: WafRule
Type: AWS::WAF::WebACL
Condition: CreateDEVResources
Properties:
DefaultAction:
Type: "BLOCK"
MetricName: test
Name: test
Rules:
-
Action:
Type: "ALLOW"
Priority: 1
RuleId: !Ref WafRule
WafRule:
DependsOn: WhitelistIPdev
Type: AWS::WAF::Rule
Condition: CreateDEVResources
Properties:
MetricName: test
Name: test
Predicates:
-
DataId:
Ref: "Whitelist"
Negated: false
Type: "IPMatch"
MyWebACLAssociation:
Type: "AWS::WAFRegional::WebACLAssociation"
Properties:
ResourceArn: arn:aws:elasticloadbalancing:us-east-2:123456789012:listener/app/my-load-balancer/1234567890123456/1234567890123456
WebACLId:
Ref: WafAcldev
Whitelist:
Type: AWS::WAF::IPSet
Condition: CreateDEVResources
Properties:
Name: "IPSet for Whitelisted IP adresses"
IPSetDescriptors:
-
Type: "IPV4"
Value: "213.126.223.11/32"
-
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.