将AWS WAF在CloudFront而不是AWS负载均衡器中部署AWS WAF有什么好处?
将AWS WAF在CloudFront而不是AWS负载均衡器中部署AWS WAF有什么好处?我已经读到,云方面能够吸收大量流量量(体积DDOS),但与此同时,AWS负载平衡器可以自动扩展,我找不到有关连接或数据包的限制的任何信息每秒钟,因此攻击者不应饱和负载平衡器资源(也应自动将AWS吸收的体积DDOS)。
What is the benefit of deploying AWS WAF in CloudFront instead of AWS load balancer? I've read that the CloudFront is able to absorb lots of traffic volume (volumetric DDoS), but at the same time the AWS load balancers can automatically scale up and I couldn't find any information about the limits in terms of connection or packets per seconds so the attacker should not be able to saturate the load balancer resources (volumetric DDoS should be automatically absorbed by AWS as well).
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
tl; dr - 这是一个交通渠道。摆脱DDOS的大量坏处,摆脱WAF的更具针对性的应用程序攻击,然后LB最终只能对服务器进行良好的流量。
在执行完全独立的服务时,它们是两个整体的一部分,以获得成功的应用程序性能。
负载平衡器将以您指定的任何IP/端口将流量路由到n+1 Web/应用程序服务器。但是它将所有这些路由,在高级LB系统中有一些有条件的逻辑,但它并不是安全设备。它将根据您的负载平衡方法(Round Robin,最少连接...)将收到的任何收到的内容发送给服务器。
拥有一项或多项容量安全服务,例如DDOS和Anti-Fraud/Bot和然后 WAF允许您首先执行负面安全姿势(DDOS),从而在数量上过滤不良的流量。 WAF将遵循第二次进行基于签名的和/或特定于应用程序的有效载荷检查,以确保只有有效且安全的流量才能达到您的应用程序。这将是类似于ACL-Allow列表的积极安全姿势。 DDOS验证流量不佳和掉落的情况,WAF将验证良好的流量并允许通过。
DDOS =&gt的这种类型的漏斗; waf => LB做了两件关键的事情,首先降低了最大的恶意流量,然后可以进行更多代价的有效载荷检查(价格和性能的成本),然后加载余额合法的流量第三。
例如,如果您通常每天平均每天20Gbps的交通流量,而DDOS攻击突然以300Gbps(相对较小)的公共IP击中您,您不希望该流量进入您的应用程序进入并向您收取入口,然后在ALB LCU上收取数小时的ALB LCU被丢弃。您只是为相同数量的有效用户支付更多费用。
我们也不要忘记,如果必须在掉落之前必须经过所有这些管道,那么对您的应用程序的性能将非常明显。
我知道,这是一个过于简单的答案,但它应该回答一个直接的问题,但是如果您有更多后续的Q,请让我知道。
tl;dr - It's a traffic funnel. Get rid of the large amounts of bad with DDoS, get rid of more targeted app-specific attacks at WAF, then LB only good traffic for the servers at the end.
While they perform completely separate services, they're two parts of a whole for successful app performance.
A load balancer is going to route traffic to n+1 web/application servers for whatever IP/Port you specify. But it will route ALL of it, there is some conditional logic in advanced LB systems but it's not acting as a security device. It's going to send whatever it receives to the server based on your load balancing method (round robin, least connection...).
Having one or more volumetric security services, like DDoS and Anti-Fraud/Bot and then a WAF allows you to do a negative security postures first (DDoS), filtering bad traffic at volume. The WAF would follow second doing signature-based and/or application-specific payload inspection to ensure only valid and safe traffic is hitting your apps. This would be a positive security posture similar to an ACL-allow list. DDoS validates for bad traffic and drops, WAF would validate against good traffic and allow it through.
This type of funnel of DDoS => WAF => LB does two key things, drops the largest amount malicious traffic first, then can do more costly payload inspection second (cost in both price and performance), then load balance legitimate traffic third.
For example, if you usually average 20Gbps of traffic per day and suddenly a DDoS attack hits your public IP at 300Gbps (relatively small) you don't want that traffic coming into your app ingress and charging you for ingress, then ALB LCU hours before being dropped. You're just paying more for the same amount of valid users.
Let's also not forget the performance hit to your application will be very noticeable if it had to go through all that plumbing before being dropped.
This is an over-simplistic answer, I know but it should answer the immediate question, but if you have more follow up q's let me know.