Sunday, October 26, 2025

Reliable Architectural Patterns to Achieving Fixed-IP Setup while still Leveraging AWS WAF with Appllication Load Balancer (ALB) | Deep Dive.


twtech deep dive into Achieving Fixed-IP Setup while still Leveraging AWS WAF with Appllication Load Balancer (ALB)

Intro:

  •           By default, AWS WAF doesn’t provide a fixed (static) IP address, because it’s a managed service that sits in front of other AWS services such as CloudFront, API Gateway, or Application Load Balancer (ALB) — all of which use dynamic IP ranges managed by AWS.
  •            However, there are reliable architectural patterns to achieve a fixed-IP setup while still leveraging AWS WAF protection.

Breakdown:

  •        The core Challenge,
  •        Solution Overview Options,
  •        Option 1: Use AWS Global Accelerator (Recommended)
  •        Option 2: Use CloudFront + WAF,
  •        Option 3: Use Third-Party or Self-Managed WAF with Fixed IPs,
  •        Comparison Summary of the options,
  •        Sample AWS Reference Architecture (Fixed IP WAF with ALB),
  •        twtech Key Takeaways.

 The Core Challenge.

·       When twtech associates AWS WAF with an Application Load Balancer (ALB), its clients connect directly to the ALB’s DNS name.

·       However, ALB IPs are ephemeral or subject to change without notice.

·       This means twtech cannot directly whitelist those ALB IPs in firewalls or on-prem systems that require fixed IPs.

 Solution Overview

These are the three main approaches to achieve a fixed IP WAF setup in front of a Load Balancer:

Option 1: Use AWS Global Accelerator (Recommended)

·       Best practice and AWS-supported

Architecture:

  1. Clients AWS Global Accelerator (with static IPs)
  2. Global Accelerator Application Load Balancer (protected by AWS WAF)
  3. ALB EC2 / ECS / Lambda backend

How AWS Global Accelerator works:

  • Global Accelerator provides two static anycast IPs (IPv4) that don’t change.
  • twtech associates its ALB as the endpoint behind it.
  • twtech can attach AWS WAF directly to the ALB or to a CloudFront distribution if needed for global filtering.
  • The WAF filters requests, but twtech clients will always connect via that fixed IPs.

Pros:

  • True static IP addresses.
  • High performance due to AWS’s edge network.
  • Built-in DDoS protection (via AWS Shield Standard).

Cons:

  • Additional cost for Global Accelerator (~$0.025 per GB + endpoint charges).

Option 2: Use CloudFront + WAF

·       Common for web apps (HTTP/HTTPS)

Architecture:

  1. Clients CloudFront (with WAF)
  2. CloudFront ALB backend resources

Details:

  • CloudFront integrates natively with AWS WAF.
  • CloudFront has a fixed set of edge locations, but not static IPs (they come from AWS IP ranges).
  • However, twtech can use AWS’s published IP ranges JSON to automate whitelisting (e.g., with firewall automation).

Pros:

  • Tight WAF integration.
  • Edge caching for better latency.
  • Ideal for HTTP/S traffic.

Cons:

  • Not fixed IPs, only predictable AWS IP ranges (need automation if twtech wants firewall rules).

Option 3: Use Third-Party or Self-Managed WAF with Fixed IPs

 If AWS-native options don’t fit

twtech can deploy:

  • A reverse proxy or NGFW appliance (like Fortinet, Palo Alto, or F5) in a public subnet with Elastic IPs.
  • Configure it to forward traffic to your ALB, and associate AWS WAF at the ALB level.

Architecture flow:

Client Elastic IP (Reverse Proxy/WAF VM) → ALB (AWS WAF) Backend

Pros:

  • Complete control over IPs and rules.
  • Flexible architecture.

Cons:

  • Increased management overhead.
  • Loses the “fully managed” WAF advantage.
  • Higher cost.

 Comparison Summary for the options

Approach

Fixed IPs

Managed

Performance

Cost

Best Use Case

Global Accelerator + ALB + WAF

✅ Yes

✅ Fully managed

🚀 Excellent

💲💲

Enterprise, multi-region web apps

CloudFront + WAF + ALB

❌ No (AWS ranges)

✅ Fully managed

🚀 Excellent

💲

Public web apps needing caching

Self-managed proxy + ALB + WAF

✅ Yes

❌ Manual

⚙️ Varies

💲💲

Custom or hybrid network setups

 Sample AWS Reference Architecture (Fixed IP WAF with ALB)

twtech Key Takeaways

  • WAF itself can’t provide static IPs — use Global Accelerator if twtech need fixed ingress points.
  • CloudFront + WAF is ideal for global web traffic, not for strict IP requirements.
  • Global Accelerator + WAF + ALB = fully managed, fixed IP, high performance solution.

No comments:

Post a Comment

Amazon EventBridge | Overview.

Amazon EventBridge - Overview. Scope: Intro, Core Concepts, Key Benefits, Link to official documentation, Insights. Intro: Amazon EventBridg...