What options do I have if I need a firewall behind AWS network load balancer?

Today we're using WAF for Application Load Balancer and it's great, but WAF not support Network Load balancer. So we need a solution that will protect us behind or after the NLB. For example:

1. Firewall->NLB->App (best option for us) 2. NLB->Firewall->App 

Just to be clear, we must use NLB and not ALB because we need to use TCP and not HTTP/HTTPS because we have many domains that we give them SSL on our servers (using CaddyServer) so if we'll use ALB the SSL for this domain name will not work. Thank for the help

asked Sep 6, 2019 at 8:29 173 2 2 silver badges 8 8 bronze badges

1 Answer 1

Clarification

I don't really fully understand what you're trying to do. If this doesn't answer your question please edit it to more fully describe what you're trying to achieve, rather than how you think you might achieve it - ie describe your workload and connectivity / firewall requirements. For example, by Firewall do you mean security group, NACL, an appliance like a virtual SRX on EC2, etc?

ALB behind NLB

You can have an ALB behind an NLB. Have a look at this article for details. That article shows you how to use an NLB to supply an ALB with a static IP.

ALB can be protected by a security group. So it's like this

Internet > NACL > NLB -> Security Group > ALB > Workload 

It could also be

Internet > NACL > NLB -> Security Group > ALB > NACL > Security Group > Workload 
Internet > NACL > NLB -> Security Group > ALB > NACL > Security Group > EC2 Firewall Appliance -> Security Group -> Workload