An Application Load Balancer (ALB) is a type of load balancer provided by AWS that functions at the application layer i.e. Layer 7 of the OSI model. ALBs are used to route traffic based on the content of the request to the appropriate target group.
In this article, we will look at the best practices to secure your Application Load Balancer.
Use HTTPS Listener
Only forward HTTPS traffic to your target group. Enable HTTP to HTTPS redirect for your ALB so that you can continue serving HTTP traffic securely.
Use Amazon Certificate Manager (ACM)
ACM should be used to provision and manage SSL certificates. ACM integrates directly with AWS ALB and also manages the auto-rotation of these certificates. ACM greatly reduces the management overhead associated with SSL certificates. Another reason to use ACM is that it is free.
Separate ALB & Target Group
Run your internet-facing ALB in a public subnet and your application servers (target group) in a private subnet. Security groups should be used to enable connectivity between the load balancer and the servers. E.g. Your target group’s security group should allow inbound traffic from the load balancer.
The primary reason to keep your application servers in a private subnet is to prevent any unintended access to your application servers.
Integrate AWS Web Access Firewall (WAF)
AWS WAF integrates with ALB and can be used to protect your application against attacks like DDoS, SQL injection, cross-site scripting, etc. Any malicious requests are blocked at the load balancer itself and thus preventing these requests from reaching your application.
Enable Access Logs for your ALB. Access logs capture detailed information about requests received by the load balancer that help in debugging later.