AWS - IP White listing and Path Rerouting

Question

I am new to AWS and currently trying to implement the following.

I have an API server which sits in an EC2 instance. I would like to implement some filtering and rerouting mechanism for 2 sets of clients:

Public.
Clients with specific IP range.

What I want is to allow public access to everyone and be redirected to /public when they access my server. While the specific clients will be rerouted to /specific when they access my server. Public clients will not be allowed to access /specific since it is intended only to specific clients with specific IPs, however the reverse should be possible - specific clients should be allowed access to /public.

I believe the rerouting part is possible using target groups + application load balancer. I also considered using Nginx, however, I am not sure where to go from this point on.

Note that you seem to have specified two mutually-exclusive conditions. (1) *the specific clients will be rerouted to `/specific` when they access my server* and (2) *specific clients should be allowed access to `/public`.* If 1 is true, then 2 can't be true, because `/public` would redirect back to `/specific`. Please clarify. — Michael - sqlbot, Feb 25 '19 at 15:59
I am thinking we can block access to `/specific` for public clients and only allow specific clients access. Maybe some kind of IP filtering based routing? Both `/public` and `/specific` are part of the same API. `/api/public` `/api/specific` — Ryklon Zen, Feb 26 '19 at 02:44

score 1 · Answer 1 · answered Feb 26 '19 at 03:00

Web Application Firewall (WAF) can attach to an ALB and allow or deny certain requests based on rule analysis, such as the client IP address or path (or a combination), but is limited to allowing or denying requests (or "counting" them -- for purposes like testing a rule's matching without actually applying it).

So on initial reading of your question, you can't do these things with just an ALB (or ALB+WAF) -- you can't selectively redirect, or change where the traffic goes (target groups use static rules for host and/or path patterns, and these rules do not interact with WAF rules -- these rules only apply to traffic WAF chose to allow).

However, if simply preventing access to specific paths like (e.g.) /specific and /specific/* for clients who are not on an allowed list is sufficient, then ALB can do that with WAF.

It isn't necessarily clear from the marketing materials, but WAF isn't exactly a separate service, in the sense that there is no actual firewall device or platform that all of your traffic is always passing through, and it can't be used all by itself. WAF is essentially an add-on feature of ALB and CloudFront and API Gateway, where a hook in the front-end of those services sends the first full buffer of each request for analysis and WAF decides, based on your rules, to tell the front-end to either allow or deny each request.

Thank you for this. I will check and mark your answer as accepted if this works for me. — Ryklon Zen, Feb 26 '19 at 04:28
@RyklonZen that sounds good -- test it out and let us know if you encounter anything unexpected. — Michael - sqlbot, Feb 26 '19 at 15:56

AWS - IP White listing and Path Rerouting

1 Answers1