Route Traffic to the WAF

How you route traffic to the WAF depends on the network architecture of your environment:

AWS

  • ALB or ELB in front of WAF
    • If you are using AWS Route 53 as your DNS provider, the best way to route traffic to the WAF is by creating an “Alias” record in Route 53 and point to the WAF’s ALB or ELB. Refer to the Routing to an ELB Load Balancer documentation from AWS.
    • If you are using an external DNS provider (not Route 53), then create a CNAME record for the domain and point the CNAME to the WAF’s ALB or ELB DNS name.
  • NLB (using EIP) in front of WAF
    • The NLB would typically have 2 or more Elastic IPs (EIPs). To route traffic to the WAF, create a DNS “A” record for each EIP (there will be 2 or more “A” records).

Azure

To route traffic to the WAF, create a DNS “A” record to point to the frontend IP of the WAF’s load balancer.

Physical or Virtual (VMWare) WAFs

  • Reverse Proxy – For Reverse Proxy websites, there are 2 options to route traffic to the WAF: DNS change or NAT change.
    • DNS Change – If there is a public IP associated with the WAF’s VIP, you can route traffic to the WAF by creating a DNS “A” record to point to the WAF VIP’s public IP.
    • NAT Change – If the website has an existing public IP NAT pointing directly to the web servers, you can change the public IP NAT and point it to the WAF’s VIP.
  • Routing Proxy – For Routing Proxy websites, traffic is routed to the WAF by adding static host routes to the firewall (or to the WAF’s default gateway). The static route should point to the WAF’s VIP as the next hop. For example, if the web server’s IP is 10.1.1.50 and the WAF’s VIP is 10.1.1.100, the static route would be:
    Destination: 10.1.1.50/32 Next hop: 10.1.1.100