Integrations for your Application Load Balancer - Elastic Load Balancing
Amazon CloudFront + Amazon WAFAmazon Global AcceleratorAmazon ConfigAmazon WAF
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Integrations for your Application Load Balancer

You can optimize your Application Load Balancer architecture by integrating with several other Amazon services to enhance the performance, security, and availability of your application.

Amazon CloudFront + Amazon WAF

Amazon CloudFront is a web service that helps improve the performance, availability, and security of your applications that use Amazon. CloudFront acts as a distributed, single point of entry for your web applications that use Application Load Balancers. It extends your Application Load Balancer's reach globally, allowing it to serve users efficiently from nearby edge locations, optimizing content delivery and reducing latency for users worldwide. The automatic content caching at these edge locations significantly reduces the load on your Application Load Balancer, improving its performance and scalability.

The one-click integration available in the Elastic Load Balancing console creates a CloudFront distribution with the recommended Amazon WAF security protections, and associates it to your Application Load Balancer. The Amazon WAF protections block against common web exploits before reaching your load balancer. You can access the CloudFront distribution and its corresponding security dashboard from the load balancer’s Integrations tab in the console. For more information, see Manage Amazon WAF security protections in the CloudFront security dashboard in the Amazon CloudFront Developer Guide and Introducing CloudFront Security Dashboard, a Unified CDN and Security Experience at amazonaws-china.com/blogs.

As a security best practice, configure your internet-facing Application Load Balancer's security groups to allow inbound traffic only from the Amazon-managed prefix list for CloudFront, and remove any other inbound rules. For more information, see Use the CloudFront managed prefix list, Configure CloudFront to add a custom HTTP header to requests and Configure an Application Load Balancer to only forward requests that contain a specific header in the Amazon CloudFront Developer Guide>.

Note

CloudFront only supports ACM certificates in the US East (N. Virginia) us-east-1 region. If your Application Load Balancer has an HTTPS listener configured with an ACM certificate in a region other than us-east-1, you will need to either change the CloudFront origin connection from HTTPS to HTTP, or provision an ACM certificate in the US East (N. Virginia) region and attach it to your CloudFront distribution.

Amazon Global Accelerator

To optimize application availability, performance, and security, create an accelerator for your load balancer. The accelerator directs traffic over the Amazon global network to static IP addresses that serve as fixed endpoints in the nearest Region to the client. Amazon Global Accelerator is protected by Shield Standard, which minimizes application downtime and latency from DDoS attacks.

For more information, see Adding an accelerator when you create a load balancer in the Amazon Global Accelerator Developer Guide.

Amazon Config

To optimize monitoring and compliance of your load balancer, set up Amazon Config. Amazon Config provides a detailed view of the configuration of Amazon resources in your Amazon account. This includes how the resources are related to one another and how they were configured in the past so that you can see how the configurations and relationships change over time. Amazon Config streamlines audits, compliance, and troubleshooting.

For more information, see What Is Amazon Config? in the Amazon Config Developer Guide.

Amazon WAF

You can use Amazon WAF with your Application Load Balancer to allow or block requests based on the rules in a web access control list (web ACL).

By default, if the load balancer cannot get a response from Amazon WAF, it returns an HTTP 500 error and does not forward the request. If you need your load balancer to forward requests to targets even if it is unable to contact Amazon WAF, you can enable Amazon WAF fail open.

Pre-defined web ACLs

When enabling Amazon WAF integration you can choose to automatically create a new web ACL with pre-defined rules. The pre-defined web ACL includes three Amazon managed rules which offer protections against the most common security threats.

  • AWSManagedRulesAmazonIpReputationList ‐ The Amazon IP reputation list rule group blocks IP addresses typically associated with bots or other threats. For more information, see Amazon IP reputation list managed rule group in the Amazon WAF Developer Guide.

  • AWSManagedRulesCommonRuleSet ‐ The core rule set (CRS) rule group provides protection against exploitation of a wide range of vulnerabilities, including some of the high risk and commonly occurring vulnerabilities described in OWASP publications such as OWASP Top 10. For more information, see Core rule set (CRS) managed rule group in the Amazon WAF Developer Guide.

  • AWSManagedRulesKnownBadInputsRuleSet ‐ The Known bad inputs rule group blocks request patterns that are known to be invalid and are associated with exploitation or discovery of vulnerabilities. For more information, see Known bad inputs managed rule group in the Amazon WAF Developer Guide.

For more information, see Using web ACLs in Amazon WAF in the Amazon WAF Developer Guide.