Loading...
Back

About the [IP address to use] option for AWS WAF v2

AWS WAF v2Old PlanNew PlanAdvancedLegacyFeature / Spec.

Overview

You can configure IP address rules to reference the IP addresses that are included in the specific header.
Reference: IP addresses

This article explains when to use the [IP address to use] option.

About the [IP address to use] option

As stated in the IP addresses section, you can specify which IP addresses within the request to use in the IP addresses rule configuration. The same setting applies to both Allowlist and Denylist.

  • Source IP
    • The rules will inspect the request's source IP (client IP).
  • Specific header
    • The rules will inspect the IP addresses in the specified header (e.g., X-Forwarded-For).
    • If you choose the [Specific header] option, please choose the position of the IP addresses inside the header from [Position inside header].

When to use the specific header

This is an option to use when you deploy CDN in front of the ALB and use WafCharm with a web ACL attached to the ALB.

As shown in the diagram above, ALB is positioned behind CloudFront or CDN, and WafCharm is used on the web ACL attached to the ALB. In this case, the requester's IP address, from ALB's point of view, will become CloudFront or CDN's IP address.

If you choose [Source IP] in the [IP address to use] option, WafCharm will be using the CDN's IP address in the dynamic denylist feature. To be more specific, if the dynamic denylist (signature re-matching) feature detects a request, the CDN's IP address will be added to the denylist.

If the CDN's IP address is added to the denylist with this feature, all requests that pass through the CDN will be blocked.

If you are deploying CDN in front of ALB, please consider taking either of the actions below to prevent CDN's IP addresses from being added to the denylist.

  • Attach web ACL to CDN (recommended).
  • Attach web ACL to ALB, and select [Specific header] in the [IP address to use] option.

Notes on enabling the [IP address to use] option

  • If you use the Legacy rule policy, the dynamic denylist (signature re-matching) feature will be disabled.
    • If you use the Advanced rule policy, the dynamic denylist will use the IP addresses in the header, so the feature will not be disabled.
  • If the specified header is not present in the request or if the IP addresses are not present in the specified header, the requests will not match the allowlist or denylist rules.
  • Source IP and Specific header options cannot be used together.
    • If CDN is deployed in front of ALB, but some requests are directly made to the ALB, please create your own IP address-related rules to control the requests for either CDN or ALB.