Deployment of production grade WAF is challenging. Usually it takes at least several weeks for an average team to learn, design, implement and automate a WAF deployment. However, system design principles are always the same and every team ends up building a similar system.
The main purpose of this project is to provide an AWS CloudFormation template that follows system design principles and deploys complete, production grade WAF solution to AWS cloud.
The idea behind this solution is to provide a production grade WAF data plane and streamline day to day WAF operations via user friendly interfaces for configuration and visibility. Following picture represents high level architecture.
Solution consists of three main components:
- WAF data plane
- Interface for WAF configuration
- Interface for WAF visibility
Data plane uses official NGINX App Protect AMIs as a WAF engine. It is fully maintenance-less, automated and auto-scales up and down based on amount of traffic flying through.
GitOps is used as configuration approach. AWS CodeCommit git repo contains default configuration for a WAF. After that every configuration change user commits in git automatically applies to the running WAF data plane.
Data plane VMs continiously send logs and metrics to AWS CloudWatch. It in turn provides a dashboard with detailed visibility to WAF security and performace.
Therefore, the solution allows to use a WAF from day zero. It provides maintnaince free data plane, convinient tool for configuration management, and complehensive visibility to the system.
Template deploys a WAF into a separate AWS VPC, therefore deployment model becomes similar to SaaS.
In which case all traffic arriving from users gets inspected and then forwarded to one or more applications regardless of their location.
Deployment process is standard as for any other CloudFormation template. The deployment requires subscription to NGINX Plus with NGINX App Protect Developer - Ubuntu 18.04
- Download template from
templates
folder to your filesystem - Open AWS CloudFormation console and click "Create Stack"
- Select "Upload from a template file" and upload template from local filesystem
- Give stack a name. All other parameters are optional.
- Set a checkbox against "I acknowledge that AWS CloudFormation might create IAM resources with custom names."
- Click create stack.
Or click the button below:
Or use following command to create a stack using aws cli:
$ aws cloudformation create-stack --stack-name NAME_OF_YOUR STACK \
--capabilities CAPABILITY_NAMED_IAM \
--template-body https://aws-waf-solution-template.s3.amazonaws.com/release/latest/modules/quickstart/nap-autoscale-ubuntu-dev.yaml \
--parameters ParameterKey=sshKey,ParameterValue=YourSshKey
Once stack deploys successfully you can access, configure and monitor the WAF deployment.
Navigate to "CloudFormation -> Your Stack -> Outputs" and click on "AppProtectLBDNSName". WAF returns a default static page.
Navigate to "AWS CodeCommit Service -> nap-AppProtectRepo". NGINX configuration locates at "files/etc/nginx/nginx.conf". App Protect configuration lives in "files/etc/app_protect". Modify these files in the same way you would do for standalone NGINX and commit changes. New configuration will be applied to the data plane automatically. You can monitor config deployment process in "AWS CodePipeline Service -> nap-AppProtectPipeline"
Open "AWS Cloudwatch -> Dashboards -> nap-AppProtectDashboard". This dashboard contains various security and performance related data.
This is a community project. Everyone is welcome to contribute.
Please refer to the F5 DevCentral Community Code of Conduct.
For support, please open a GitHub issue. Note, the code in this repository is community supported and is not supported by F5 Networks.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Copyright 2014-2020 F5 Networks Inc.
Before you start contributing to any project sponsored by F5 Networks, Inc. (F5) on GitHub, you will need to sign a Contributor License Agreement (CLA).
If you are signing as an individual, we recommend that you talk to your employer (if applicable) before signing the CLA since some employment agreements may have restrictions on your contributions to other projects. Otherwise by submitting a CLA you represent that you are legally entitled to grant the licenses recited therein.
If your employer has rights to intellectual property that you create, such as your contributions, you represent that you have received permission to make contributions on behalf of that employer, that your employer has waived such rights for your contributions, or that your employer has executed a separate CLA with F5.
If you are signing on behalf of a company, you represent that you are legally entitled to grant the license recited therein. You represent further that each employee of the entity that submits contributions is authorized to submit such contributions on behalf of the entity pursuant to the CLA.