AWS Web Application Firewall | Control Web Traffic using Web Application Firewall | K21 Academy

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey guys welcome to this session by k21 academy in this session we are going to learn about aws web application firewall where we will be focusing on how to control web traffic using web application firewall now let us take a quick glance at the agenda firstly we will be introduced to aws web application firewall and then we will be launching two observers in two different availability zones and then we will be configuring application load balancer in front of that and we will test our application post that we will be creating ipset which is nothing but set of eyepiece using which we can control and say who can access and all ipsec is not only the way there are other things as well which we can do like web application firewall is quite advanced thing right and then we will see how to create a web access control list which will say what exactly you are controlling and finally we will be testing the working of web application firewall so we have taken a clip from one of our certification training program on aws certified solution architect associate saac02 and in this clip our expert will talk about aws web application firewall where we will focus on how to control web traffic using web application firewall ah hey there welcome back this is atl from team k21 academy and in this lesson we are going to look at how to use web application firewall or vaf to control the web traffic for pointing to some of the services that are pointing to amazon web services or aws so web application firewall is a security tool that is used to protect your uh your couple of services which i'll explain you in a minute but before i tell you what all things or what index page as we usually do what we are going to cover what does web application means i think it will be better to explain this via the diagram so if you have services like there are couples a couple of services like application load balancer or you have um appsync or content delivery network cdn couple of these services or api gateway you can access these directly which is fine but you can also put web application firewall which is a web in front of these applications so that you can control uh within that layer to define some rules and say what is allowed what is not allowed and you can go to a very advanced rules that you can define in aws so when users hitting your application load balancer or your app sync which is content delivery network cdn or api gateways they will first connect to the vaf and vaf will then allow deny based on the rule you define and then we'll let you configure this so what we're going to do in this lab is we'll configure web servers and application load balancer so that these will be used in my vav now how to configure application load balancer and web servers you should have done in one of the previous labs and if not i would suggest you do that because first or at least have an understanding in this lab i'm going to show you again how to create web server or application load balancer but i'm not going to go in depth about application load balancer we covered these load balancers in one of the previous labs but the focus will be on aws vaf and what is set and web acl will tell you about that as well so we'll be defining these for vaf and then when i'm exiting my load balancer depending on the rules that i've set i'll be allowed or disallowed on this um here for testing for web so that's what i'm going to do in this particular lab so first let's see vaf a background about web application firewall helps to protect your web applications against common web exploits that might affect availability and of your application and compromise the security of your application as well um now what are the features of the web you can look and read it in there but you can do a lot of things in here um so as i said um now if i get give a little bit further down on what we are doing on this particular lab so this is saying that you can configure vaf with these kind of resources like application load balancer or you can also use it for amazon api gateway which is a gateway for your api's application programming uh interfaces you can build the or your developers your applications can have apis and that eps will be front-ended by api gateway you can use that or aws app sync so appsync provides a robust scalable graphql interface for application developers to combine data from multiple uh data sources like amazon um dynamodb aw lambda or other things and if you don't understand don't worry about it assume that this is something uh for related to graphql and then you can also use it for cloudfront distribution we'll see all these as we come across and i'll let you know about that as well so that's what we are going to do and this so to see what we are going to do all in this particular lab so first is as always introduction you can read a little bit more about second point is about documentation link that we have used in order to create this valve and where exactly what all places you can use those things we have written links into this chapter 2. chapter 3 about prerequisite now prerequisite is um it's better if you have done a application load balancer lab before this so that i'm going to do it again here but i'll not go as deep as i went into application load balancer i'll keep it high level and why we are doing application load balancer again here is because the valve that i'm going to put in front i'm going to do it for in front of application load balancer so then we're going to do our two instances of web server 1 and web server 2 in two different availability zones and then i will be configuring application load balancer in front of that and i'll test my application uh for this then i'm going to create something called as ipsec and ip set is nothing but a a set of ips that using which you can control and say who can access or what um now ip set is not the only way there are other things as well you can do so web web is a quite advanced thing we are going to use iip set for this then we are going to look creative acl access control list or we webrtc which is access control list which will say what exactly you can do or what you're controlling um now again as i said earlier um vaf is a little bit more advanced you can do a lot of other things as well but for now we are going to keep things simple and if you want to go deep you can go from a um associate point of view whatever you're learning vap is more than enough here from the certification point of view so we'll create a access control list and then we'll test that we're going to first access it directly by application load balancer and then i'm going to create a access control list and which is a deny my ip and then when i try to access it will be no i will not be able to access because it's blocked by this ip list or is a vf and then i'll open up and then test it see i can access it or not so that's once it's done i'm going to delete or clean up resources so this is what i'm going to do so first thing first is we create two web servers again we have already done these things in past so i'm going to keep it short and quick in this here and i'll only focus on things that are required um here so we are creating these two web servers so we'll create a instance one in my us east one and we'll select an ec2 and then in ec2 i'm going to launch an instance of type linux and then t2 micro and we are going to put this code we have done this in past as well so let me copy it saying web server one so i'm on aws console and we'll go ec2 now we've done this exercise number of times so it should be fairly easy and as i said earlier if you have not done maybe go for application load balancer first so we'll say launch an instance select type linux of amazon linux select t2 micro and then we will put it in availability zone 1 a maybe we have the public ip already enabled and under bottom data here we will see that we're installing a root and again as i said i've already done this exercise so i'm creating a http server installing http server in this click on add storage we'll leave it to the default 8 gb and we add a tag called name and say server 1 security group we'll add 22 port number and we'll also add port number 80 from internet so which is http port click on review and launch and say launch it key pairs i already have so i'll say select key pair existing key pair and click on launch instance while it's launching i'll create one more instance so say launch instance one more we select t2 micro this time i'm going to do it on availability zone 2 so 1b we'll say ip address is assigned and my user data this time i'm going to select for my second page so for this is web server 02 and say add storage 8 gb add tags name is server 02 or server 2 next launch security group and we'll be selecting the existing group so i just need to figure out what a security group i gave earlier so i gave our security group name as launch wizard 10 so i should be using the same security group which is launch virtual 10 so i'll go back to launch instance select t2 micro here a1b select under optional these parameters add storage click on add tags tag is name is equal to server 2 security group i'll say select an existing and i selected the existing one 10 so launch wizard wizard10 this is the one which was their security group if you want you could remember name next time uh you remember these names click on review and launch and say launch and you should already have the key pair now what's launching i'll go back to the instances and see whether you can access these both the pages or not so i'll go to the first instance server one collect the public ip and then you open the browser http and then column forward slash forward slash and then hit enter and this is coming web server one now we are going to do on the second one so i'll go to the second instance i'll copy the ipad as of this type http and we did this exercise again in the load balancer when we were doing web server two now i'm ready to define a load balancer so i'll go to scroll down here or let's look at the documentation so now we are going to go to the load balancer and we'll say create a load balancer and we type http type load balancer and we'll say my application load balancer ipv4 and will select my two ability zone a and b and then we'll pick up the will define a listener and in that listener we will configure route tables or sorry are the routing we'll select uh and we'll select a new routing linux instance alb security group and we'll allow port number 18 20 20 22 from the internet and then we'll say allow the instances uh linux instances and and we've done these two so we'll be adding our two instances that are running and we'll create the load balance and it will test that i can access from the load balancer so i'll go to the load balancers click on create a load balancer i'll type http load balancer we'll name the load balancer maybe my alb my alb will select internet facing ipv4 listening on port number 80 and we'll pick a and b availability zones and then say click on next configure security group it's saying load balance is not using any secure listener we are okay click on next and you say create a new security group and i think that's what we are doing up here no so we are not creating a secure new security group we are actually creating a using a existing security group that we did um which was for uh the um in my case it was 10 so linux security group was 10 launch security group launch wizard10 and i think if you follow the guide if you hit any problem follow the guide that guide will explain you the exact steps or which security group this is so that my ports are allowed for so say configure routing and here my target group and we'll say target group as linux instances and my protocol as they are listening these are instances this listening and port number 80 and click on register targets and we will be selecting these two targets and say add register so you see these are the registered two target two servers which are listening click on next review and click on create and click on close and then we will be getting uh you should be able to like refresh them and state should be provision and will wait for them to be provisioned so we'll wait and what i'm going to do is once these are ready my state should be active and once it's active i'll be looking up from the dns name record here and then i'll try to access other web servers i should be able to access my load balancers from this from the url so this is my dns name i'll copy this and type http and then type this url this url will not work yet because we are still configuring it so my this ec2 is still provisioning and once it's provisioned then we will come to know so let's refresh it my load balancer is now fully active so i'm going to go and check my dns name here and then open a new tab and type http and this again exercise we already did in past so hit the load balancer and now it's coming from web server one you click on refresh here and you should be getting from web server 2 and like that so it's basically my load balance is working fine now i'm all set to create my valve so vap will have two things it can have much more complex things so i'm going to create two things simple make it simple so that you understand and don't overwhelm yourself and then if you want if you're using waff in project you can go and little bit more advanced but from certification point of view or to give you idea about web application firewall we try to keep things simple uh so we'll be first creating an ip set which is nothing but a set of ip addresses you can have ip address and for that we will be going to my vaf and then i'll define ipset and ipset will be my ip which from which i'm accessing these urls i can check i'll tell you what is my ip if you have to check what is your ip or public ip that aws or my application load balancer is seeing i can go here and it tell me what is my ip address or public ip which is when i hit these any any other computer on the internet this is what my ip is being seen here so this is my ipv6 and i'm more interested on ipv4 so this is my ipv4 is this which is 81.130.234.234. two this is the ip address um i ipv so that will be i'll be using later uh so i'll be defining this ip set um and then later i'm going to use this ip set that i've created in my access control list so let's go to aws console and create a ip set so this is my ec2 instance sorry not ec2 this is my load balancer and i'll go for search for vaf and this is my vaf and shield i'll explain you shield is nothing but ddos distributed denial of service attack so we'll click on this first to see now within vaf and shield you have three parts one is a aws vaf and there is a it was firewall manager we have not covered firewall manager uh but there is another component called aws shield which is which provides you distributed denial of service attack ddos it protect you against ddos for your applications uh which is distributed denial of service attack um so i'll not go into there we go back and say we look at vaf and this is where you see multiple things on web fair so you can define access control list ip sets and you can go a little bit more advanced with regular pattern sets or rule groups which you can use when you're defining access control list access control will list will be using my ip set or these rule groups or regular expressions and in acl is actually where i'm saying what to protect and how to protect so first uh ip set is from way to protect so we'll say create a ip set so we first say i'm my ip set so we'll put it my ip set and then name any name my ip set whatever ip set and you define this ip set in a specific region and my ip address so i paid this will be whatever i picked up plus and then it should always be insider format so it's side 32 32 is that specific ip you can you can pick a range of ip addresses again what is that cider we covered when we looked at or maybe i think it's in the next module it's going to cover what is cider um when we do look at the vpc virtual private cloud or it's already been i don't remember on which module we did vpc but in vpc i've given a brief overview about decider now 32 means that's just one ip which is this ip and say create the ip set and my ip set is successfully created here now i'm ready to create my access control list and then access control list will control or give you a fine grain control over the web to say what you want to protect you can protect cloud front which is my content delivery network you can protect api gateway which is my um a gateway or interface for my apis where my all my apis host application programming interfaces and then application load balancer we saw you can also use for aws appsync which is the graphql which we saw um used by developers so you can if you want to know more about what is appsync or api gateway or cloudfront i should have the documentation at um under the under the documentation section so here we can control and say what to allow or block so we'll go to web acl and say create webacl let me make it slightly bigger and then we put name acl a my web acl and we'll say that ac to block my ip so i'll be restricting the access on my url so let me go to the acl and show it there so here i'll select web acl and by default there's nothing so i'll say create webcl and by the way um this vaf has changed earlier it used to be classic web application firewall new web has come with more advanced things and more mature product uh so we'll be using the new vav so we click on create access control list and here you specify name of the access control list so we'll say my acl and then you use a meaningful name so this is description to say block my public ip so we are saying block access and you can also you will be defining cloud watch metrics and what is cloud watch i think if you have not covered it's going to cover it's for monitoring part now this is where you say what kind of a resource type you want to protect is it a cloud cloud front distribution and cloud front distribution is a content delivery network cdn distribution which it takes from where your content should be delivered or you can use the regional resources which is like application load balancer api gateway or aws app sync we want to use with app application load balancer so we'll select this and now it's saying where this acl will reside this acel will reside in us east and now we need to look at the associated resources uh what all aws resources we want to do so we'll say add aws resources and we specify application load balancer here and because we've already created a load balancer this load balance is visible here so we'll select this load balancer and click on add so we are protecting we are associating this rule or my access web access control with this particular resource click on next and this is interesting this can become a little bit more complex that is where we are trying to keep things simple and we'll see that you can um add a rule so we are saying add a rule and then you can say add a manage rule group which is the rule group we earlier saw or add my own so this is the rule groups that are managed by aws this is my own rule and rule group we're going to keep things simple so we'll say add my own rule and then uh we will say rule name so this is where we'll say we select what you are typing rule type is it a ip set or you can build a rule builder or rule group um so these can go a little bit more complex will saying i p set we are going to use i p set here and then we'll specify the name of this so maybe say my name is my web acl um rule or and then ip set is the ip set that we created earlier which is my ip set now you can identify ip based on ip address in a header or ip address in source ip address what happens is when a request http request comes to the load balancer the or any app http they also have ip addresses defined in a header or ip addresses actual source ip address so we want to do it based on a source ip address and action what you want to do you want to allow block or count and we want to block it so that we can feel or we can test it and say add a rule so once we have blocked it we have added a rule now and then let's go to the next point and this is where um in this next is add rule and this is very powerful as well so see if there is a any request that doesn't match what to do should i allow or block so means if the request ip something else should we allow for that or deny that so it's very careful um so for remaining ips we want to allow it's only my ip that you want to block so this is for if you have a rogue ip that you want to block or you want to say i want to allow only from a specific ips you can control all those things here so we say for remaining if the acl doesn't match any other so if request is coming from any other ip like your ip you are accessing but my ip is blocked will say allow click on next and then the rule priority is again if you have multiple rules you can define the rule priority and you can move rules in my case i have the default one rule only click on next and you can leave the default one as well here we are defining the metrics here click on next and then you go and click on create web acl and this is now will create acl so now once we have created this rule now it's time to test whether this is working vaf is working fine or not so i'll go back to the load balancer and try to access the same url again so this is my web this rule is already created successfully which says access to block my ip address and lets me go to now my alb and pick up the load balancer url again i think i accidentally closed it so i'll go back to the application load balancer under here load balances you create your dns name copy it from here open the new tab paste it and type http in front of this and colon and forward slash forward slash hit enter and now you get 403 forbidden which means you're not allowed to this 403 means not allowed you should be getting a page um here so to check back again this is the issue or my vaf is causing this we will go back to vaf again and this time i'm going to delete the rule and i should be then able to access again so i go back to vaf and in that i'm going to do web acl uh select that web acl and say delete and type the word delete and click on delete uh it's saying web couldn't because your resource is being used by another resource of its associated with another resource so instead of deleting this acl i'll go to my ip set and from my ip set i'm going to delete this ip and say i don't want to use this block this ip are you sure you want to delete the following ip i say type confirm type delete so type word delete here and click on delete now if i try to refresh this page here and let me see maybe it will take few seconds updated update ipsec success and uh let me check the document as well i've deleted the ip address ah it's been deleted uh okay so we need to wait for few minutes because and refresh the page so wait for for a uh like this to be refreshed and so if it doesn't happen you need to i think there is a a little bit delay on aws side for this ip to be picked up so let me remove this from here hit enter it's still forbidden uh let me double check so this ips are gone i go to web acl and my web acl okay so sample request okay this is rules inside defined so my web acl which is saying block and if i see just want to verify that my rule is ip set and source ip address is still block so we'll refresh it here now if i see uh i started getting a response back from web server 1 and server 2 and like that and if i add by ip i can now control and say allow disallow i can say block everything and only allow from these ips that's very powerful you can restrict and control all that that's a web web application firewall now once you've done this make sure you take a screenshot of these two before you delete go back here under vaf and take a screenshot of ipset and iacl and say you've created ipset and acl and then once that's done you're ready to delete these so in order to delete this or clean up we'll delete the load balancer we'll go and delete the target groups and we'll be deleting the instances so let me go one by one and then we'll be deleting the ip set as well so we'll select first here ip list and probably it may not allow me let's see that because i have to first thing it's in use so click on delete it's in web because it's being used so we'll go to web acl under web acl will go to rules and then my web acl and say delete this rule and i think my documentation would have been if i would have looked into documentation i would have been much better so i've deleted this rule and now i'll try to delete the whole acl itself so basil and say delete let's see type word delete click on delete it's still used by another resource so let me see ip set i should have looked at the document let's see if i can delete the ip set and say delete so our ip set is gone and now i'll see if i can delete my web acl still not there so i'll check and come back on the documentation i should have looked into documentation so delete acl web acl and say delete and type word delete i'm not sure why it's not letting me so maybe i'll refresh it a little bit this page again seems to be quite straightforward so select and then delete and type word delete maybe i was trying to rush and web couldn't perform the operation because the resource is being used by another resource and it's associated with a nurse resource so maybe it's somewhere used but don't worry you will not be charged for this acl anyway and i'll figure it out and we'll update this in the documentation as well once i figure out but i'm going to go to my load balancer so i'll go to ec2 and delete my load balancers before we getting big charge so we'll go to our target groups and select these instances and say actions delete and say yes delete again it's by use by listener so i should first go and delete the listener so i'll go to load balancers and select the load balancer action and say delete and say yes delete my load balancer now i'll go and um to the target groups actions and save delete and say yes delete and then i need to go to my ec2 instances and terminate both the instances that we have created so say instance state and say terminate and click on terminate so i've removed my instances i've removed my load balancer i've removed the backend servers let me see if i can vaf one more time and let me delete my web so click on wef and then select acl and say delete and type word delete and now i've successfully deleted so maybe it was caching that oh yes sorry i got the point now because in my acl i said that i have a load balancer and that's why because load balancer was blocking this and that since i deleted load balancer my ac is now gone uh so with that that completes this lab of of configuring web application firewall with that this is atul from team k21 academy thanks for watching this and i hope by now you've started a feel of how easy it is in aws to configure things and i hope you now started getting confidence so we have put down everything about the certification including the basic concepts that one should know everything like introduction to aws security management aws object storage options designing computing environment networking and monitoring services leverage route 53 for hosting zones database server and analytics application and messaging services configuration management and automation architecting on aws one and architecting on aws too so in this training we take you from basic to advanced level along with the tips and resources for clearing the certification exam we also have a separate team working for cv preparation and on job support so if you want to become an aws certified solution architect associate and want to learn right from basics to expert level then we have a comprehensive step-by-step training for you that includes hands-on labs including the exam preparation and most important part one year on job support so if you are interested in this program i would highly recommend you to attend the free class which covers most of the topics like why and who should learn aws cloud service deployment models and aws services demo on creating s3 bucket and making data available to the entire world and many other topics so if you are interested in this free class you can visit k21academy.com aws sa02

Info

Channel: K21Academy

Views: 1,464

Rating: 5 out of 5

Keywords: waf, wafv2, aws waf, amazon waf, aws web application firewall, amazon cloudfront, waf components, web acls, waf rules, what is aws waf, what is waf, what does waf do, web application firewall, amazon aws waf, amazon aws firewall, overview of AWS WAF, aws waf bad bots, aws waf bot control and how it works, what is aws firewall manager, what is web application firewall, web application firewall tutorial, aws waf tutorial, amazon web services, amazon aws security

Id: XllFl5feZfE

Channel Id: undefined

Length: 32min 59sec (1979 seconds)

Published: Mon May 10 2021