Quick Guide: Configuring AWS WAF and ELB with a Practical Example

In this blog, we will walk through the process of configuring AWS Web Application Firewall (WAF) to protect applications hosted on AWS. As per AWS documentation, AWS WAF is a web application firewall service that lets you monitor web requests that are forwarded to an Amazon API Gateway API, an Amazon CloudFront distribution, or an Application Load Balancer. You can protect those resources based on conditions that you specify, such as the IP addresses that the requests originate from.

Benefits and features (AWS Documentation)

Agile protection against web attacks

AWS WAF rule propagation and updates take just under a minute, enabling you to react faster when you are under an attack or when security issues arise. WAF supports hundreds of rules that can inspect any part of the web request with minimal latency impact to incoming traffic.

Save time with managed rules

With managed Rules for AWS WAF, you can quickly get started and protect your web application or APIs against common threats. managed Rules are updated automatically and are available from AWS or AWS Marketplace sellers.

Improved web traffic visibility

AWS WAF gives near real-time visibility into your web traffic, which you can use to create new rules or alerts in Amazon CloudWatch. In addition, AWS WAF offers comprehensive logging, allowing you to capture each inspected web request’s full header data for use in security automation, analytics, or auditing.

Ease of deployment and maintenance

AWS WAF is easy to deploy and protects application(s) deployed on either Amazon CloudFront, the Application Load Balancer, or Amazon API Gateway. There is no additional software to deploy, DNS configuration, or SSL/TLS certificate to manage.

For demonstration purposes, we’ll be using the Example Voting App from Docker’s official GitHub repository:

👉 https://github.com/dockersamples/example-voting-app

We’ll explore how to secure this sample application using AWS WAF, and also review some of the advanced security modules available in the AWS Marketplace to enhance your application’s protection further.

To get started, we have launched an EC2 instance running Ubuntu as the host environment for our demo application:

EC2 instance information

Once the server is ready, connect to it via SSH and install Docker. We will run the application using Docker Compose , which allows us to manage the application’s components as containers efficiently.

You can follow the official Docker documentation to install Docker on your machine:

👉 https://docs.docker.com/engine/install/

ssh terminal

Now create a new folder “voting_app” and clone the Example Voting App repository from Docker’s official GitHub to your EC2 instance:

GitHub - dockersamples/example-voting-app: Example distributed app composed of multiple containers for Docker, Compose, Swarm, and Kubernetes

Once the repository is cloned, navigate to the application directory and start the containers using Docker Compose (make sure you can see docker-compose.yml file in the path before applying the docker compose command) :

cd example-voting-app
docker compose up -d

This command will launch all the required services in detached mode:

File structure

Building docker containers

To verify that all containers are up and running, execute the following command:

docker ps -a

Once the containers are running, open your browser and navigate to your EC2 instance’s public IP address with port 8080 to verify the application is accessible:

https://13.201.54.199:8080/

Before accessing the application, ensure that port 8080 is allowed in the EC2 security group rules to permit inbound traffic. This step is crucial to confirm that the application is reachable from your browser.

Voting App Website

Now that the application is up and running, let’s proceed to create an AWS Web Application Firewall (WAF) to secure it. AWS WAF will help protect your application from common web exploits and malicious traffic.

AWS WAF cannot be directly attached to an EC2 instance. It requires integration with one of the following:

• Application Load Balancer (ALB)
• Amazon CloudFront
• Amazon API Gateway
• AWS App Runner

For your EC2-hosted application, you will need to place it behind an ALB or use CloudFront as a distribution layer. This allows AWS WAF to inspect and filter traffic before it reaches your EC2 instance.

Now, we’ll take an AMI (Amazon Machine Image) of the existing EC2 instance. This will allow us to launch a second identical EC2 instance , enabling us to simulate a load-balanced environment.

Once the new instance is created:

1. We will add both EC2 instances to a Target Group.
2. Then, we’ll create an Application Load Balancer (ALB) and attach the Target Group to it.

This setup will allow us to:

• Distribute traffic across multiple instances.
• Attach AWS WAF directly to the ALB.
• Ensure higher availability and scalability.

Navigate to the EC2 Dashboard in the AWS Console and follow these steps:

Step 1

While creating the image:

• Enter a name and description to easily identify the AMI later.
• Uncheck the “Reboot instance” option to prevent downtime during image creation.
• Optionally, add a key tag (e.g., Name: voting-app-ami) to help filter and locate the image quickly, especially in environments with multiple AMIs.

step 2

After the AMI is ready, navigate to the AMIs section in the EC2 console. Select your newly created image and click “Launch instance from image” as shown below:

Proceed with the instance launch wizard by selecting the appropriate instance type, security groups, and key pair, then complete the launch.

instance. Otherwise, it cannot be added to the same Elastic Load Balancer (ELB) target group.

You can launch the instance in any Availability Zone (AZ) within the same VPC to enhance fault tolerance.

New EC2 created successfully

Once the second EC2 instance is launched:

1. SSH into the instance.
2. Navigate to the application directory as done on the first EC2 machine

• cd example-voting-app

1. Run the application using Docker Compose:

• docker compose up -d

Creating Target group for ALB

With both EC2 instances ready, the next step is to create a Target Group. This group will manage the instances that receive traffic from the Application Load Balancer (ALB).

Creating target group for ALB

Target group configuration

Once you update the configuration and click next, you will be directed to another page asking for the resources:

Choose the corresponding EC2 machiines and create the target group

Once the Target Group is ready, create the Application Load Balancer. Follow the steps shown in the screenshot below:

Creating a loadbalancer for the Application

Creating ALB (Application Load Balancer)

AWS offers three types of Elastic Load Balancers (ELBs):

Application Load Balancer (ALB)

• Operates at Layer 7 (HTTP/HTTPS).
• Ideal for web applications and supports features like host-based and path-based routing.

Network Load Balancer (NLB)

• Works at Layer 4 (TCP/UDP).
• Designed for high performance and low latency , suitable for real-time applications or large-scale traffic.

Gateway Load Balancer (GWLB)

• Used for deploying, scaling, and managing third-party virtual appliances (e.g., firewalls, intrusion detection systems).
• Operates at Layer 3 and Layer 4.

For this setup, we are using an Application Load Balancer (ALB), as it is best suited for HTTP-based applications.

Application Load balancer

Now follow the below configuration

Basic configuration

In the network mapping, choose the right VPC and select the Availability zone and subnets which the EC2 machines are created, here I am selecting all subnets hence I want to scale the EC2 machine in future projects.

Networking

Now select the security group and listener configuration for the load balancer. Choose the target to in the routing option (tag 3) as in the following screenshot:

Securtiy group, listener and routing

For the remaining configuration options, you can leave them as default (unchecked), as shown in the screenshot below:

Other configuration

These default settings are sufficient for our current use case. We will configure the WAF later. Once reviewed, proceed to create the load balancer.

After completing the load balancer configuration, verify that the load balancer’s DNS name correctly loads your application in a web browser. If you encounter issues accessing the application via the load balancer DNS, ensure that the necessary ports are open and properly configured in the associated security groups.

Refer to the following guidelines to confirm your security group settings are allowing the required traffic.

EC2 instances security group rules

Load balancer security group rules

Note: In real-world deployments, EC2 instances are typically placed in private subnets with no direct internet access. For testing purposes only, we are exposing them to the public network in this setup.

Configuring WAF for the project

Navigate to the AWS Management Console, search for “WAF” in the search bar, and select “WAF & Shield” from the results. Then Click on ‘Create web ACL’

AWS WAF

Next, specify the resource type, select the correct AWS region, and provide a clear description. Once done, click on “Add AWS Resources” to proceed.

Creating web ACL

Now, select the appropriate resource type and choose the Application Load Balancer (ALB) you created earlier. Then, click “Add” to continue.

Configuring WAF

On the next page, you can add managed rule groups to your WAF. AWS offers a variety of built-in rule groups, and you can also choose from third-party providers such as Cloudbric, Fortinet, GeoGuard, and more.

Managed rule groups in AWS WAF

Click on “AWS Managed Rule Groups” to view a list of free, pre-configured rule groups provided by AWS. These offer baseline protection against common threats such as SQL injection, cross-site scripting, and other OWASP Top 10 vulnerabilities. In this case, I enabled following rule groups. If you click ‘edit’ you can edit certain parameters and customize the rule groups as per your needs.

Managed rule group

In the upcoming window, you can keep the default one.

On the next page, you can retain the default settings. This is where you define the default action for requests that do not match any rules in the Web ACL. If you’re applying IP filtering or similar rules, you can use this setting to block all other requests that do not originate from the expected IP addresses.

Configure metrics

On the next page, you can set the priority for each rule group within the Web ACL. This determines the evaluation order — similar to an if condition chain. The rules are processed in sequence: if the first rule allows the request, the next rule is evaluated, and so on. If any rule blocks the request, evaluation stops immediately and the request is denied.

After clicking “Next,” you’ll be taken to the review page. Verify all the configurations, and once everything looks correct, click “Create Web ACL” to finalize the setup.

Create Web ACL

Now, let’s look at how to add custom rules and rule groups to the Web ACL. While managed rule groups provide convenience, they offer limited customization. Custom rules give you full control, allowing you to define specific conditions and actions based on your application’s unique requirements.

Lets go to the WAF configuration and create rules as in the following screenshot:

Web ACL Configuration

As shown in the following screenshot, you’ll see various rule types — such as IP set, rule builder, and rule group. In this example, we’re going to implement a CAPTCHA challenge specifically for users accessing the application from India. If needed, you can also create IP sets to allow or block specific addresses or apply rules based on IP ranges.

WAF Custom rules

Now, reload the Load Balancer DNS name in your browser and verify that the changes have taken effect as expected. You should see the configured CAPTCHA challenge applied to users from India (You can choose your country so that you can verify the changes)

In this guide, we successfully secured an application using AWS WAF integrated with an Application Load Balancer (ALB). We configured managed and custom WAF rules, implemented a CAPTCHA challenge specifically for users from India, and applied appropriate security group settings. This setup demonstrates a practical approach to enhancing application security on AWS. For production environments, always consider refining your rules, monitoring traffic patterns, and following best practices for access control.

For deep understanding about WAF and shielf, https://docs.aws.amazon.com/waf/