Table of Contents
- 1. Introduction
- 2. How to associate new web ACLs to ALB
- 3. How to associate existing web ACLs to ALB
- 4. Disassociating Web ACLs
- 5. Using with WafCharm
- 6. Conclusion
1. Introduction
You can now create and apply web ACLs to ALB in the ALB console as of February 6th, 2024.
A similar feature was released for CloudFront distributions last year, and now the same feature is available for the ALB as well.
AWS Application Load Balancer announces one-click WAF integrations
2. How to associate new web ACLs to ALB
When you open the page to create an ALB, you can see an [AWS Web Application Firewall (WAF)] section below [Optimize with service integrations].
Click on the [Include WAF security protections behind the load balancer] checkbox to create a new web ACL or associate an existing web ACL. If you want to create a new web ACL, keep the [Auto-create pre-defined web ACL] option selected.
The "Rule Action" section allows you to choose the rule action between Block/Count for AWS managed rules that are applied automataically.
If you choose Block here, rules are applied with action Block, so any requests that match the rules will be immediately blocked. If you want to see how the rules behave, choose Count.
You will see a message that says that the association process of ALB and web ACL may take 2-3 minutes after you've selected everything in the configuration. Be mindful since the association process could fail if you close or leave the page before completion, as stated in the message.
Once the ALB and web ACL creation are completed, you can see a link to the web ACL under the [AWS Web Application Firewall (WAF)] section in the Integration tab.
If, for some reason, the association process fails, you can retry by clicking the [Retry association] button in the Integration tab. In addition, the web ACL itself seems to be created in the early stage of the process, so you could manually associate your resources from the AWS WAF console.
The web ACL page opens when you click on the web ACL name. The rules applied to the web ACL are the three rules from AWS managed rules listed below. For more details on the rules, please refer to the linked AWS documents.
- Amazon IP reputation list managed rule group
- Core rule set (CRS) managed rule group
- Known bad inputs managed rule group
If you've selected Count for the rule action when creating a web ACL, actions will be registered as [Override rule group action to count].
When you are satisfied with your proof of concept and want to change the rule action to Block, select the rule group, click the Edit button, and remove the override.
3. How to associate existing web ACLs to ALB
You can also select an existing web ACL if you already have one.
Click the drop-down menu under [Web ACL] and select one of the existing web ACLs.
You can associate multiple resources to your web ACL, so the previous associations will not be deleted even if you select the existing web ACL. Instead, there will be multiple resources associated to the web ACL below the [Associated AWS resources] section.
Associating an existing web ACL does not automatically add AWS managed rules to your web ACL.
4. Disassociating Web ACLs
Unlike CloudFront distributions, the ALB console does not allow you to disassociate web ACLs.
If you want to change the associated web ACL, you must use the [Associated AWS resources] section in the AWS WAF console.
5. Using with WafCharm
As for WafCharm, you can use both methods to create/attach web ACLs: creating a new web ACL from the ALB console or creating a web ACL first and attach later.
If you choose the first method, creating a new web ACL in the ALB console, managed rules provided by AWS will be automatically added as stated above, so WafCharm rules will be added to the web ACL on top of the AWS managed rules.
WafCharm rules can be applied because the WCU capacity is 5,000, but the used WCU may exceed 1,500. AWS WAF charges additional fees based on the number of requests if more than 1,500 WCUs are used, so if you want to keep the used WCUs within the 1,500 limitations, please delete the AWS managed rules first and then configure to apply WafCharm rules.
*As of February 2024, WafCharm rules will use 1,100 WCUs for rule application. However, AWS WAF may reduce the number of used WCUs for shared resources. WafCharm will need 1,100 WCUs for the application process, but the number of used WCUs may decrease a little bit when the rules are fully applied.
If you are going to create a web ACL first and then attach it to ALB, managed rules provided by AWS will not be applied to the web ACL and you don't have to worry about something like the above affecting your web ACL. You can also choose to add WafCharm rules first and then attach the web ACL to the ALB or vice versa.
6. Conclusion
Following last year's CloudFront console update, you can now create and associate a web ACL to ALB during the ALB creation process.
However, web ACL names are automatically assigned in both cases, so you may want to consider using the AWS WAF console in some cases if you want to use easily identifiable names.