Join Log in
Score:0
realnsleo avatar Server

Possible to create an AWS API Gateway to Route all requests to Classic Load Balancer?

uz flag
realnsleo

I have a questions (hopefully not dumb). I am the IT guy of a business hosting various applications with AWS and we currently have a Classic Load Balancer sitting in front of 2 to 3 EC2 instances which handle all our web traffic. It's a pretty straight forward configuration. In the past 13 hours, we are being hit with what we believe is malicious activity. A single person (I think) is trying to send more than 500 requests per second, I guess a bad actor. Unfortunately, I am not well equipped with devops skills but I know that's one area I need to invest in after this.

At the moment, I am looking to block/rate limit these requests as soon as possible. I have read online that an API gateway can do this. I would appreciate any advice on what type of API gateway to create. Is it also possible to create an API gateway and route all requests to that gateway to the Load Balancer? And is it also possible to limit requests based on the request body and not only IP address? Thanks and I do appreciate any response to this. I am also happy to improve on my question where necessary.

98
1 + 2
Tim avatar
gp flag
Tim
What are you protecting? Web servers, API servers, something else? AWS WAF v2 is probably going to be a better product for you. Also if it's coming from one IP or small set just add that to the NACLs as an deny on the inbound NACL, it'll be dropped by the hypervisor. If you had CloudFront it can run NACLs on the edge if you're under DDOS but you might have to pay for shield advanced for that, can't recall exactly.
1
Reply
realnsleo avatar
uz flag
realnsleo
Hi @Tim, thank you for your response. Yes, I am protecting the EC2 web servers sitting behind the load balancer. Unfortunately the applications working in the web servers were built by someone else who left and we are currently in the process of changing them. AWS WAF seems to be something that can help. The requests are coming from 5 specific IPs. I am going to read up more on AWS WAF and see how I can deploy that quickly. CloudFront seems an interesting topic. Thanks! Let me get on it.
0
Reply
Score:1
Tim avatar Server
gp flag
Tim

Given you have a very small set of IP addresses hitting your server I suggest you add deny rules on your public subnet Network Access Control List (NACL). It's in the EC2 console.

If it were a DDOS then AWS Shield (free) would probably have taken care of it, and if not AWS WAF may also help.

0 + 1
realnsleo avatar
uz flag
realnsleo
Thank you!! AWS WAF worked wonders for me. The standard Shield too. I will keep monitoring and also playing around with custom rules. And also employ a devops engineer. Thanks!
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.