Skip to main content

AWS EC2 Geo Restriction with Application Load Balancer (ALB) and Web Application Firewall (WAF) / Access Control Lists (ACL), custom response body, https encryption

925 words·
AWS EC2 Application Load Balancer (ALB) WAF ACL Geo Restriction VPC Certificate Manager
Table of Contents

In this tutorial I’ll set up an Application Load Balancer (ALB) for EC2 Instances and implement geo restriction / geo blocking through Web Application Firewall (WAF) and a Access Control List (ACL). Also the datatransfair will automtically be https encrypted with a certificate from the AWS Certificate Manager.

Pt. 1: Set up a dedicated VPC (Optional)
#

Every AWS Region has it’s own default VPC, which you can use for the Load Balancer. For this tutorial I’ll create a dedicated VPC.

Open VPC Console and create a new VPC: https://console.aws.amazon.com/vpc/

Create at least two Availability Zones, otherwise ALB wan’t work:

For this tutorial it is not necessary to create a NAT gateway or S3 Gateway:

The VPC should look like this:

Pt. 2: Set a Security Groups in VPC
#

We’ll create seperate Security Groups, one for the EC2 Instances and one for the Load Balancer. The Security Group for the EC2 will be configurated so that only the Load Balancer can access the webservers.

Open EC2 Console:
https://console.aws.amazon.com/ec2/

Security Group for Load Balancer
#

Open the EC2 / Dashboard panel and create a Security Group in the VPC:

When new AWS resources are created, AWS automatically picks the default VPC. In case you created a dedicated VPC, remove the default VPC and select your new VPC:

Create Inbound Rules for http & https and create the Security Group:

Security Group for EC2 Instances
#

Create a Security Group for your EC2 instances, define an Inbound Rule for http with the Load Balancer security group as source. For the the SSH inbound rule I recommend only your specific IP as source, but for this tutorial I use anywhere IPv4:

Pt. 3: Set one or more EC2 Instances
#

One EC2 instance is enough for a woring Load Balancer, but set up as many instance as you need. Edit Network Settings:

Select the following network settings:
VPC: Select your dedicated VPC
Subnet: Select a Public Subnet
Auto-assign public IP: Enable
Select the newly created Security Group and launch the Instance:

Copy the public IPv4 address of your instance and SSH into it:

Install Nginx sudo apt install nginx and open the standard html file:
sudo vi /var/www/html/index.nginx-debian.html

Replace it with a simple example site like this:

<!DOCTYPE html>
<html>

<head>
	<title>jklug.work</title>
</head>

<body>
	<h1>Geo Restriction Test</h1>
</body>

</html>

Pt. 4: Certificate Manager - Request SSL Certificate
#

Open the Certificate Manager and create a certificate for your domain. Be sure to include all Subdomains with *.your.domain:

Pt. 5: Load Balancer
#

Load Balancer - Target Groups
#

Go to the Load Balancing / Target Groups panel and create a new Target Group:

Choose target type “Instances” and select your dedicated VPC:

Select “http” for health check protocol:

Select your EC2 Instances and register them as targets:

Configure Load Balancer and Listener
#

Go to the Load Balancing / Load Balancers panel and create a new Application Load Balancer:

Select your dedicated VPC and at least two Subnets:

Select your Security Group we have created for the Load Balancer, forward the Listener with “https” protocoll to your Target Group and select your Certificate. Create the Load Balancer:

Redirect Load Balancer from http to https
#

Go to the Load Balancer panel, select your Load Balancer and add another listener:

Click “Add action” and select “Redirect”:

Redirect the Listener from http to https:

Pt. 6: Route 53 - Add DNS entry for ALB
#

Selecte the following settings:
Record type:
“A - Routes traffic to an IPv4 address and some AWS resources”
Value/Route traffic to:

  • “Alias to Application and Classic Load Balancer”
  • Select the Region in which you created the Load Balancer
  • Select your Load Balancer

Test Load Balancer
#

Open your Domain in a Browser, note that the site is secure:

Pt. 7: Web Application Firewall (WAF) & Access Control Lists (ACL)
#

To limit the access to your resources it can be very helpful to implement Geo Restriction / Geo Blocking limitations. Open the WAF Console https://console.aws.amazon.com/wafv2/ and create an new ACL.

Select the same region as your Load Balancer and select Regional Resources:

Click “Add AWS resources”, select “Application Load Balancer” and add the Load Balancer you’ve created.

Note that it can take up to two hours after the Load Balancer was created till WAF / ACL is able to access it. In case WAF / ACL is note yet ready to access the Load Balancer you get an error message, but as work around you can create the WAF / ACL and add the Load Balancer later:

Add Access Control Rule:

The Rule should look as follows:

Make sure the block requests that doesn’t match the rule:

Click next and create the ACL:

Test Web Application Firewall / Geo Restriction
#

Use Geo Browse to access your Domain from another country:
https://geotargetly.com/geo-browse

You should be able the see the blocked connection attempts in your ACL overview:

Custom response body for blocked contries
#

Select your ACL, open the “Custom response bodies” panel and create a new custom response body:

Select content type “HTML” and paste a some html context, for example this:

<!DOCTYPE html>
<html>

<head>
	<meta charset="utf-8">
	<title>Geo Restriction Warning</title>
</head>

<body>
	<h2>Sorry, this content is not available in your location.</h2>
	<br>
	<p>Our website is currently not available in your country due to geo-restrictions.</p>
	<p>We apologize for any inconvenience this may cause.</p>
</body>
</html>

Edit the default web ACL action for requests that don’t match any rules:

Enable “custom response” add a response code, for example “443” and select your custom response body: