Network & Infrastructure Security
WAF, DDoS Protection & Edge Security
4 min read
Web Application Firewalls (WAF) and DDoS protection services defend against application-layer attacks that security groups can't block. These edge security services are essential for internet-facing applications.
Web Application Firewall (WAF)
WAF Capabilities
| Feature | Purpose | Example Rules |
|---|---|---|
| SQL injection protection | Block SQLi attempts | ' OR 1=1, UNION SELECT |
| XSS protection | Block script injection | <script>, event handlers |
| Rate limiting | Prevent brute force | 100 requests/minute |
| Geo-blocking | Regional restrictions | Block specific countries |
| Bot detection | Filter automated attacks | Known bot signatures |
| Custom rules | Application-specific | Block specific patterns |
AWS WAF
# Terraform - AWS WAF with managed rules
resource "aws_wafv2_web_acl" "main" {
name = "production-waf"
description = "Production WAF ACL"
scope = "REGIONAL"
default_action {
allow {}
}
# AWS Managed Rules - Core Rule Set
rule {
name = "AWSManagedRulesCommonRuleSet"
priority = 1
override_action {
none {}
}
statement {
managed_rule_group_statement {
name = "AWSManagedRulesCommonRuleSet"
vendor_name = "AWS"
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "CommonRuleSetMetric"
sampled_requests_enabled = true
}
}
# AWS Managed Rules - SQL Injection
rule {
name = "AWSManagedRulesSQLiRuleSet"
priority = 2
override_action {
none {}
}
statement {
managed_rule_group_statement {
name = "AWSManagedRulesSQLiRuleSet"
vendor_name = "AWS"
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "SQLiRuleSetMetric"
sampled_requests_enabled = true
}
}
# Rate limiting rule
rule {
name = "RateLimitRule"
priority = 3
action {
block {}
}
statement {
rate_based_statement {
limit = 2000
aggregate_key_type = "IP"
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "RateLimitMetric"
sampled_requests_enabled = true
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "ProductionWAF"
sampled_requests_enabled = true
}
}
Azure WAF
# Create WAF policy
az network application-gateway waf-policy create \
--name myWAFPolicy \
--resource-group myRG
# Enable OWASP managed rules
az network application-gateway waf-policy managed-rule-set add \
--policy-name myWAFPolicy \
--resource-group myRG \
--type OWASP \
--version 3.2
# Add custom rate limiting
az network application-gateway waf-policy custom-rule create \
--policy-name myWAFPolicy \
--resource-group myRG \
--name RateLimitRule \
--priority 1 \
--rule-type RateLimitRule \
--action Block \
--rate-limit-threshold 100 \
--rate-limit-duration OneMin
GCP Cloud Armor
# Create security policy
gcloud compute security-policies create my-policy \
--description="Production WAF policy"
# Add OWASP rules
gcloud compute security-policies rules create 1000 \
--security-policy=my-policy \
--expression="evaluatePreconfiguredExpr('xss-stable')" \
--action=deny-403
gcloud compute security-policies rules create 1001 \
--security-policy=my-policy \
--expression="evaluatePreconfiguredExpr('sqli-stable')" \
--action=deny-403
# Add rate limiting
gcloud compute security-policies rules create 1002 \
--security-policy=my-policy \
--expression="true" \
--action=rate-based-ban \
--rate-limit-threshold-count=100 \
--rate-limit-threshold-interval-sec=60 \
--ban-duration-sec=600
DDoS Protection
Cloud Provider DDoS Services
| Provider | Basic (Free) | Advanced (Paid) |
|---|---|---|
| AWS | Shield Standard | Shield Advanced ($3,000/mo) |
| Azure | DDoS Protection Basic | DDoS Protection Standard |
| GCP | Always-on protection | Cloud Armor Managed Protection |
AWS Shield Advanced
# Terraform - Enable Shield Advanced
resource "aws_shield_protection" "alb" {
name = "alb-protection"
resource_arn = aws_lb.main.arn
}
resource "aws_shield_protection" "cloudfront" {
name = "cloudfront-protection"
resource_arn = aws_cloudfront_distribution.main.arn
}
Azure DDoS Protection
# Create DDoS protection plan
az network ddos-protection create \
--name myDDoSPlan \
--resource-group myRG
# Associate with VNet
az network vnet update \
--name myVNet \
--resource-group myRG \
--ddos-protection true \
--ddos-protection-plan myDDoSPlan
Edge Security Architecture
CDN Security Benefits
User → CDN Edge (WAF + DDoS) → Origin Server
↓
- Attack traffic absorbed at edge
- Origin IP hidden
- SSL/TLS termination
- Caching reduces origin load
CloudFront with WAF
resource "aws_cloudfront_distribution" "main" {
enabled = true
origin {
domain_name = aws_lb.main.dns_name
origin_id = "alb-origin"
custom_origin_config {
http_port = 80
https_port = 443
origin_protocol_policy = "https-only"
origin_ssl_protocols = ["TLSv1.2"]
}
}
web_acl_id = aws_wafv2_web_acl.main.arn
default_cache_behavior {
allowed_methods = ["GET", "HEAD", "OPTIONS", "PUT", "POST", "PATCH", "DELETE"]
cached_methods = ["GET", "HEAD"]
target_origin_id = "alb-origin"
viewer_protocol_policy = "redirect-to-https"
forwarded_values {
query_string = true
cookies {
forward = "all"
}
}
}
restrictions {
geo_restriction {
restriction_type = "blacklist"
locations = ["CN", "RU"] # Example geo-blocking
}
}
viewer_certificate {
acm_certificate_arn = aws_acm_certificate.main.arn
ssl_support_method = "sni-only"
minimum_protocol_version = "TLSv1.2_2021"
}
}
WAF Best Practices
| Practice | Implementation |
|---|---|
| Start in count mode | Monitor before blocking |
| Use managed rules | OWASP, vendor-specific |
| Regular rule updates | Subscribe to security bulletins |
| Custom rules for app | Application-specific patterns |
| Log all requests | Enable full request logging |
| Alert on anomalies | Set up CloudWatch/Azure Monitor alerts |
Next, we'll explore logging, monitoring, and threat detection for cloud networks. :::