If your shielded application is hosted in AWS using Cloudfront, ALB, API Gateway or another resource which supports AWS WAF, its important to ensure that any AWS WAF configuration cannot accidentally block legitimate users of the application when RedShield is in path.
In order to permit user traffic via RedShield to access the application, an exception should be created in any AWS WAF ACL as follows:
1. Create an IP set containing RedShield's platform IP addresses
RedShield's IP addresses may be defined for use in AWS WAF by creating an IP set using the following resource:
2. Add an AWS WAF rule to allow traffic which has routed through RedShield's platform:
Select "Add my own rules and rule groups":
Choose "IP set" and other settings as suitable for your environment:
3. Set your rule priority to ensure precedence over existing rate limiting or blocking rules
Then save. User traffic sent via RedShield-provided IP addresses should then no longer be impacted by AWS WAF.
Comments