I'm working with multiple cloud platforms, including Azure, Google Cloud, and AWS, as well as on-premise systems. Currently, AWS and Azure use their native WAFs, and I believe our on-premise setup uses Imperva. The security team wants to consolidate our WAF protections under one vendor for centralized management and is considering a new vendor for this layer. However, I'm proposing that we can use AWS WAF not just for AWS but also to protect our on-premise systems and environments in Azure and Google Cloud. Has anyone implemented something similar? What challenges or disadvantages have you faced?
5 Answers
From what I understand, AWS WAF is mainly designed for protecting resources within AWS. To use AWS WAF for non-AWS resources, you'd need to set up AWS Load Balancers as reverse proxies, which can be complicated and risky. Maybe looking into WAF solutions like Signal Sciences or Tenable could be more beneficial.
I think Cloudflare might be a good solution for your needs. It could work well across different environments without the restrictions of AWS WAF.
Yeah, that's one of the vendors being considered, but I believe AWS can also handle it.
I would recommend Cloudflare. It's generally cheaper and can handle all your environments. Plus, as others have mentioned, routing traffic through AWS adds unnecessary complexity when you have effective solutions like Cloudflare available.
Yes, you can protect Azure or Google Cloud with AWS WAF by setting up CloudFront as a proxy. Essentially, you'd direct CloudFront to your non-AWS origin and attach the WAF to that. Just be mindful of the added latency and potential data transfer costs because the traffic has to flow through AWS. Also, make sure to secure the connection between CloudFront and your origin with custom headers or IP whitelisting to ensure the WAF isn't bypassed.
That's exactly the setup I was considering. Using CloudFront with a custom header seems like a solid plan.
Consolidating WAF protection with AWS for Azure, GCP, and on-prem isn’t exactly straightforward. AWS WAF is tailored for AWS resources, so if you protect external endpoints, you'll have to channel all traffic through CloudFront, which can introduce latency and networking complexities. Many teams prefer using a provider like Cloudflare or Imperva, which offers cloud-agnostic solutions. If you choose AWS WAF, expect manual IP updates and possible bottlenecks. For automation, consider tools like n8n or Runable to sync your settings across clouds.
It might be a lot of work, but that’s what OP is suggesting. Sure, it's possible, but I think using something like Cloudflare could reduce lock-in and keep things streamlined.