I have an internal AWS ALB behind an NLB which has static ips. Then I have a Sucuri WAF infront of the NLB. My concern is a WAF bypass. What do you think is the best way to whitelist so that the aws load balancers only takes traffic from the sucuri waf? My ec2s are running on nginx. Looks like NLB does not have a security group and nginx may not see the real ip of the user. Any thoughts?
Edit:
I need static ips thats why I have an NLB with elastic ips. I also need the features of ALB thats why I have both. I can roll out my own nginx load balancers but I'd like less problem and I need it for some other AWS features.
Best Answer
Why do you have both an NLB and an ALB?
AWS ALB
AWS Application Load Balancer has security groups (documentation link). You can use that to limit which IPs traffic can from from. That relies on NLB not messing with that information.
AWS NLB
The AWS Network Load Balancer works at Layer 4, and according to Wikipedia "Class 4 is closest to TCP". I wonder if NLB doesn't change the source IP - hopefully someone else who's more familiar with this can answer / comment, it's been a long time since I learned the OSI model. If so this would work well with the ALB security groups.
X-Forwarded-For
Another approach is that Securi most likely sets the X-Forwarded-For header. In Nginx you can use the "real_ip_header" command to say "for the IPa addresses I specify (ie that belong to Securi) the original IP address is in this header". eg:
To be careful of is that the AWS ALB might also set that header, hiding what Securi sets.
Nginx Allow / Deny
Once that's done you have another method using Nginx that lets you block all hosts other than those you allow.
Summary
If you can simplify your architecture you can probably find a simpler solution.