A DDoS-resilient, two-tier architecture for web applications in the AWS cloud
One of the most common queries that cloud-driven organisations have is how they can protect their AWS-hosted applications from DDoS attacks. To address that concern, I wrote this article a while ago which goes into detail on a set of core guidelines to abide by. Those are:
Reduce the attack area surface
Be ready to scale and absorb the attack
Safeguard exposed resources
Monitor application behavior
Create a plan for attacks
But that’s just the theoretical part. How can these guidelines be put into practice one might ask?
To flesh out the AWS best practices for DDoS resiliency, I have created an open-source, Terraform-based project that represents a starting point in the journey of building a DDoS-resilient, two-tier architecture for web applications. An architectural blueprint of the infrastructure involved can be found below.
The traffic flow is as follows:
1) HTTP traffic is transmitted from the client to the CloudFront distribution which is the first point of entry into the infrastructure.
2) The WAF ACL attached to the CloudFront distribution inspects the inbound traffic. The edge ACL has been configured with a blanket rate limit rule along with several AWS managed rules. If allowed, WAF forwards the traffic to the ALB which only accepts traffic from CloudFront's managed prefix list.
3) The ALB in turn forwards the traffic in a distributed manner to the healthy, backend EC2 instances which host the web application.
4) The web site is served to the client while CloudFront caches the served content.
You can clone the repository via this link.
The project is by no means finished and I will continue to expand it over time. But I think it’s a good start for anyone who is curious about DDoS defense in the AWS cloud.
What I would recommend that you add to your own forked copy:
TLS
More WAF rules
An application with greater functionality
A set of detective controls to monitor key metrics of the application
If you find value in this content, please share and subscribe for more updates!