aws-wafwebacl-alb - AWS Solutions Constructs
OverviewPattern Construct PropsPattern PropertiesDefault settingsArchitectureGithub

aws-wafwebacl-alb

Stability:Stable
Reference Documentation: https://docs.aws.amazon.com/solutions/latest/constructs/
Language Package

Python Logo Python

aws_solutions_constructs.aws_wafwebacl_alb

Typescript Logo Typescript

@aws-solutions-constructs/aws-wafwebacl-alb

Java Logo Java

software.amazon.awsconstructs.services.wafwebaclalb

Overview

This AWS Solutions Construct implements an AWS WAF web ACL connected to an Application Load Balancer.

Here is a minimal deployable pattern definition:

Example
Typescript
import { Construct } from 'constructs';
import { Stack, StackProps } from 'aws-cdk-lib';
import { WafwebaclToAlbProps, WafwebaclToAlb } from "@aws-solutions-constructs/aws-wafwebacl-alb";

// Use an existing ALB, such as one created by Route53toAlb or AlbToLambda
const existingLoadBalancer = previouslyCreatedLoadBalancer


// Note - all alb constructs turn on ELB logging by default, so require that an environment including account
// and region be provided when creating the stack
//
// new MyStack(app, 'id', {env: {account: '123456789012', region: 'us-east-1' }});
//
// This construct can only be attached to a configured Application Load Balancer.
new WafwebaclToAlb(this, 'test-wafwebacl-alb', {
    existingLoadBalancerObj: existingLoadBalancer
});
Python
from aws_solutions_constructs.aws_route53_alb import Route53ToAlb
from aws_solutions_constructs.aws_wafwebacl_alb import WafwebaclToAlbProps, WafwebaclToAlb
from aws_cdk import (
    aws_route53 as route53,
    Stack
)
from constructs import Construct

# Use an existing ALB, such as one created by Route53toAlb or AlbToLambda
existingLoadBalancer = previouslyCreatedLoadBalancer

# Note - all alb constructs turn on ELB logging by default, so require that an environment including account
# and region be provided when creating the stack
#
# MyStack(app, 'id', env=cdk.Environment(account='123456789012', region='us-east-1'))
#
# This construct can only be attached to a configured Application Load Balancer.
WafwebaclToAlb(self, 'test_wafwebacl_alb',
                existing_load_balancer_obj=existingLoadBalancer
                )
Java
import software.constructs.Construct;

import software.amazon.awscdk.Stack;
import software.amazon.awscdk.StackProps;
import software.amazon.awscdk.services.route53.*;
import software.amazon.awsconstructs.services.wafwebaclalb.*;

// Use an existing ALB, such as one created by Route53toAlb or AlbToLambda
final existingLoadBalancer = previouslyCreatedLoadBalancer

// Note - all alb constructs turn on ELB logging by default, so require that an environment including account
// and region be provided when creating the stack
//
// new MyStack(app, "id", StackProps.builder()
//         .env(Environment.builder()
//                 .account("123456789012")
//                 .region("us-east-1")
//                 .build());
//
// This construct can only be attached to a configured Application Load Balancer.
new WafwebaclToAlb(this, "test-wafwebacl-alb", new WafwebaclToAlbProps.Builder()
        .existingLoadBalancerObj(existingLoadBalancer)
        .build());

Pattern Construct Props

Name Type Description

existingLoadBalancerObj

elbv2.ApplicationLoadBalancer

The existing Application Load Balancer Object that will be protected with the WAF web ACL. Note that a WAF web ACL can only be added to a configured Application Load Balancer, so this construct only accepts an existing ApplicationLoadBalancer and does not accept applicationLoadBalancerProps.

existingWebaclObj?

waf.CfnWebACL

Optional - existing instance of a WAF web ACL, providing both this and webaclProps causes an error.

webaclProps?

waf.CfnWebACLProps

Optional user-provided props to override the default props for the AWS WAF web ACL. To use a different collection of managed rule sets, specify a new rules property. Use our wrapManagedRuleSet(managedGroupName: string, vendorName: string, priority: number) function from core to create an array entry from each desired managed rule set.

Pattern Properties

Name Type Description

webacl

waf.CfnWebACL

Returns an instance of the waf.CfnWebACL created by the construct.

loadBalancer

elbv2.ApplicationLoadBalancer

Returns an instance of the Application Load Balancer Object created by the pattern.

Default settings

Out of the box implementation of the Construct without any override will set the following defaults:

AWS WAF

  • Deploy a WAF web ACL with 7 AWS managed rule groups.

    • AWSManagedRulesBotControlRuleSet

    • AWSManagedRulesKnownBadInputsRuleSet

    • AWSManagedRulesCommonRuleSet

    • AWSManagedRulesAnonymousIpList

    • AWSManagedRulesAmazonIpReputationList

    • AWSManagedRulesAdminProtectionRuleSet

    • AWSManagedRulesSQLiRuleSet

      Note that the default rules can be replaced by specifying the rules property of CfnWebACLProps

  • Send metrics to Amazon CloudWatch

Application Load Balancer

  • User provided Application Load Balancer object is used as-is

Architecture

Diagram showing the WAF ACL, Application Load Balancer, CloudWatch log group and IAM role created by the construct

Github

Go to the Github repo for this pattern to view the code, read/create issues and pull requests and more.