I have an ALB behind Cloudfront. Both of which have SSL certificates and therefore provide SSL offloading, both protected with WAF WebACLs. The ALB's ACL checks a header - a common practice protecting ALB from direct access (bypassing CF).
-SSL--> [CloudFront] --SSL--> [ALB:443] -------->EC2.....
WAF ACL WAF ACL*
Sorry this ain't a great diagram but just to show the ACLs (the relevant one has an asterisk) and the general blocks.
So the ALB terminates TLS and decrypts traffic BEFORE handing the requests to ACL* for the header check. I think there's no way to inspect headers except in plaintext
Now, imagine a level 7 DDoS attack - HTTP flood, say.
That bad traffic may not have the header and the ACL* will drop it all - great. However:
- will ALB have to massively scale, just to perform the TLS offloading?
- if yes, would this scale-up cost many dollars on the AWS bill? It seems like ALB for level 3/4 DDoS attack, does scale for free. Does it for a level 7 scenario..
Note: the scaling I am talking about is not the EC2 auto scaling etc, but the scaling of ALB itself.
An important AWS whitepaper
suggests that ALB does scale - to absorb infra level DDoS attacks. It seems logical it could do the same (for free) if HTTP well-formed requests got through WAF and into ALB - but I didn't want to take this for granted, hence the question
