AWS WAF + Fixed-IP Setup + Appllication Load Balancer (ALB) | Overview.

AWS WAF + Fixed-IP Setup + Appllication Load Balancer (ALB)  - Overview.

Scope:

•  Intro,  
• The core Challenge,
• Solution Overview Options,
• Option 1: Use AWS Global Accelerator (Recommended)
• Option 2: Use CloudFront + WAF,
• Option 3: Use Third-Party or Self-Managed WAF with Fixed IPs,
• Comparison Summary of the options,
• Sample AWS Reference Architecture (Fixed IP WAF with ALB),
• twtech Key Takeaways.

 Intro:

•   By default, AWS WAF doesn’t provide a fixed (static or eip) IP address,.
•  Because it’s a managed service that sits in front of other AWS services such as:
• CloudFront, 
• API Gateway, 
• Application Load Balancer (ALB) 
• — All of which use dynamic IP ranges (changing anytime the server is down) managed by AWS.
•  However, there are reliable architectural patterns to achieve a fixed-IP setup while still leveraging (integrating with) AWS WAF protection.

The Core Challenge.

•      When twtech associates AWS WAF with an Application Load Balancer (ALB), its clients connect directly to the ALB’s DNS name.
•      However, ALB & IPs are ephemeral or subject to change without notice.
•      This means twtech cannot directly whitelist those ALB IPs in firewalls or on-prem systems that require fixed IPs.

Solution Overview

•       These are the three main approaches to achieve a fixed IP WAF setup in front of a Load Balancer:

Option 1: Use AWS Global Accelerator (Recommended)

·       Best practice and AWS-supported

Architecture:

1. Clients → AWS Global Accelerator (with static IPs)
2. Global Accelerator → Application Load Balancer (protected by AWS WAF)
3. ALB → EC2 / ECS / Lambda backend

How AWS Global Accelerator works:

• Global Accelerator provides two static anycast IPs (IPv4) that don’t change.
• twtech associates its ALB as the endpoint behind it.
• twtech can attach AWS WAF directly to the ALB or to a CloudFront distribution if needed for global filtering.
• The WAF filters requests, but twtech clients will always connect via that fixed IPs.

Pros:

• True static IP addresses.
• High performance due to AWS’s edge network.
• Built-in DDoS protection (via AWS Shield Standard).

Cons:

• Additional cost for Global Accelerator (~$0.025 per GB + endpoint charges).

Option 2: Use CloudFront + WAF

•        Common for webapps (HTTP/HTTPS)

Architecture:

1. Clients → CloudFront (with WAF)
2. CloudFront → ALB → backend resources

Details:

• CloudFront integrates natively with AWS WAF.
• CloudFront has a fixed set of edge locations, but not static IPs (they come from AWS IP ranges).
• However, twtech can use AWS’s published IP ranges JSON to automate whitelisting (e.g., with firewall automation).

Pros:

• Tight WAF integration.
• Edge caching for better latency.
• Ideal for HTTP/S traffic.

Cons:

• Not fixed IPs, only predictable AWS IP ranges (need automation if twtech wants firewall rules).

Option 3: Use Third-Party or Self-Managed WAF with Fixed IPs

 If AWS-native options don’t fit

twtech can deploy:

• A reverse proxy or NGFW appliance (like Fortinet, Palo Alto, or F5) in a public subnet with Elastic IPs.
• Configure it to forward traffic to your ALB, and associate AWS WAF at the ALB level.

Architecture flow:

Client → Elastic IP (Reverse Proxy/WAF VM) → ALB (AWS WAF) → Backend

Pros:

• Complete control over IPs and rules.
• Flexible architecture.

Cons:

• Increased management overhead.
• Loses the “fully managed” WAF advantage.
• Higher cost.

 Comparison Summary for the options

Approach	Fixed IPs	Managed	Performance	Cost	Best Use Case
Global Accelerator + ALB + WAF	✅ Yes	✅ Fully managed	🚀 Excellent	💲💲	Enterprise, multi-region web apps
CloudFront + WAF + ALB	❌ No (AWS ranges)	✅ Fully managed	🚀 Excellent	💲	Public web apps needing caching
Self-managed proxy + ALB + WAF	✅ Yes	❌ Manual	⚙️ Varies	💲💲	Custom or hybrid network setups

 Sample AWS Reference Architecture (Fixed IP WAF with ALB)

twtech Key Takeaways

• WAF itself can’t provide static IPs — use Global Accelerator if twtech need fixed ingress points.
• CloudFront + WAF is ideal for global web traffic, not for strict IP requirements.
• Global Accelerator + WAF + ALB = fully managed, fixed IP, high performance solution.