Skip to main content

Enabling WAF on AWS Lightsail via CloudFront

Setting up WAF to protect Lightsail instances is a little awkward. From a technical standpoint, Lightsail uses its own internal VPC, so WAF is not normally able to be used on it.

What you need to do is make a CloudFront distribution that will act as the entry point for your website, and then use WAF on that. The method to do this is below.

Create a CloudFront Distribution

The origin domain for the distribution should be set to the DNS address of your load balancer (whether it's a Lightsail load balancer or an Application Load Balancer).

You'll want it to only use HTTPS for connections, with normal caching behaviour.

Make sure to set the allowed HTTP methods to allow more than just GET and HEAD! Since all traffic to your site will be going through this CDN, a lot of requests (namely POST requests) will fail if you do not set this correctly.

image.png

Set your domain name to resolve to the distribution

In your DNS provider, you'll need to create a CNAME record that links yourwebsite.com to the address of your distribution, so that going to your website sends people to the distribution you just created. This is different to the normal setup, where normally this CNAME record would point to your load balancer's IP address.

Make sure not to include the https:// in the CNAME record's value for the distribution; just the "whatever.cloudfront.net".

Set up WAF on the distribution

The CloudFront console has fairly primitive WAF options; it's better to go into the AWS WAF console and set up your rules there.

In the WAF console, go to Web ACLs in the left panel, and select the Global (CloudFront) region. Click the create web ACL button. Select Amazon CloudFront Distributions as the resource type, and add the distribution you created in the Associated AWS Resources panel at the bottom.

On the next page, you can add rule groups that the WAF will use to screen incoming requests. The AWS WAF system has a measurement called Web ACL capacity units (WCUs) that basically show how many rules you can add to a particular ACL. Some managed rule groups take up more capacity than others. Note that although the limit is 5000 per ACL, having more than 1500 incurs extra costs.

In the top right dropdown, select Add Managed Rule Groups (i.e. those maintained by AWS, and those that are maintained by other companies and offered by AWS). Open up the AWS managed rule groups section.

image.png

The non-AWS rule groups all require paid subscriptions; a few of the AWS ones incur extra charges, but many do not. Inside the AWS managed rule groups section, scroll down to the Free rule groups.

image.png

There's more than shown on this screenshot, but this group is where most of the rule groups you want reside (thankfully, since they're not subject to extra charges). You should be able to add the rule groups you need without exceeding the 1500 WCU limit - here are some of the important ones:

  • Core rule set (700 WCU)
  • Amazon IP reputation list (25 WCU)
  • Known bad inputs (200 WCU)
  • Linux or Windows operating system, as appropriate (200 WCU)
  • SQL database (200 WCU)
  • PHP application, if appropriate (100 WCU)

This puts your web ACL at 1325-1425 WCU, depending on if you needed the PHP application rule set.

 

Back to top