When using RedShield's platform to shield applications hosted in AWS, components such as Cloudfront, ALB and API Gateway may have AWS WAF configuration applied to apply rate limiting or detection and blocking of threats.
If your applications hosted in AWS have AWS WAF configured, you should ensure that this cannot accidentally block legitimate traffic forwarded by RedShield IP addresses; based on rate limiting rules, or other IP-address based restrictions which could affect legitimate user traffic.
Traffic from RedShield is sent to the application from a restricted set of IP addresses published here: https://www.redshield.co/ipv4, and forwarded requests include a header which preserves the client’s true IP address on the internet.
When creating exceptions to allow application traffic from RedShield, you should first create an IP set to hold the list of IP addresses which should be allowed in AWS. Two methods are shown here; using the AWS web interface, and the AWS CLI client.
Creating an IP set using AWS web user interface
IP sets may be created using the AWS web user interface as follows:
1. Select the region required if WAF is applied to regional resources such as ALB and API Gateway (for Cloudfront, use "Global (Cloudfront)"):
Then select "Create IP set".
2. Create the IP set using the current list of IP addresses from https://www.redshield.co/ipv4:
Your IP set should now appear in the list of IP sets available for use with AWS WAF rules.
Creating an IP set using AWS CLI v2
IP sets may be created using the AWS CLI as follows (instructions are shown for Mac and Linux bash terminal; for Windows please consult AWS documentation for the correct formatting):
1. Ensure that you have AWS CLI installed
aws --version
Instructions for installing AWS CLI on Mac, Linux and Windows installation may be found here: https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html
2. Create an IP set
For ALB and API Gateway, replace region with your target region.
For regional resources such as ALB and API Gateway:
aws wafv2 create-ip-set \
--name "redshield-source-ips5" \
--scope REGIONAL \
--region us-west-2 \
--ip-address-version IPV4 \
--description "RedShield IP addresses which may forward client traffic - to ALLOW" \
--addresses \
"103.14.41.64/27" \
"103.241.84.0/22" \
"202.174.114.112/32" \
"38.107.178.0/24" \
"169.50.192.30/32" \
"169.50.192.16/28" \
"169.50.69.240/28" \
"169.50.198.224/27" \
"193.0.180.0/22" \
"103.253.194.5/32"
For global use with Cloudfront:
aws wafv2 create-ip-set \
--name "redshield-source-ips4" \
--scope CLOUDFRONT \
--region us-east-1 \
--ip-address-version IPV4 \
--description "RedShield IP addresses for CloudFront - ALLOW" \
--addresses \
"103.14.41.64/27" \
"103.241.84.0/22" \
"202.174.114.112/32" \
"38.107.178.0/24" \
"169.50.192.30/32" \
"169.50.192.16/28" \
"169.50.69.240/28" \
"169.50.198.224/27" \
"193.0.180.0/22" \
"103.253.194.5/32"
3. Verify that your IP set is available
For Cloudfront:
aws wafv2 list-ip-sets --scope CLOUDFRONT --region us-east-1 --output json
For Regional resources such as ALB and API Gateway:
aws wafv2 list-ip-sets --scope REGIONAL --region us-west-2 --output json
Comments