I'm using an App Load Balancer (ALB) that filters requests based on a specific header before forwarding them to an EC2 instance. However, I'm worried about potential DDoS attacks that could flood my ALB with requests lacking the correct header. Since this is just a simple app, I want to avoid a large bill if someone launches a DDoS attack against my ALB. Are there better ways to protect myself from these attacks, considering I need to stick with EC2 as a backend and it was already being targeted when it had a public IP?
4 Answers
For a low-cost solution, attaching a WAF to your ALB is the traditional approach, but keep in mind that it might not completely block bots targeting the ALB directly by its IP without a valid host header. You can set geo-specific rules on your WAF that deny traffic from countries you're not expecting, which helps against unwanted traffic. For more advanced DDoS protection, you could explore AWS Shield which can be quite expensive.
Can you avoid the ALB and use API Gateway with Lambda? API Gateway has built-in rate limiting which could provide better protection against sudden surges in requests.
Consider deploying AWS WAF2 along with AWS Shield Advanced. It's a bit pricey though, so weigh that against your budget. You could also use AWS WAF2 without the Shield subscription; just create your own WebACL rules to filter requests.
You might want to look into using a Web Application Firewall (WAF), which AWS offers, or consider third-party services like Cloudflare to sit in front of your service for added protection.
Related Questions
How to Build a Custom GPT Journalist That Posts Directly to WordPress
Cloudflare Origin SSL Certificate Setup Guide
How To Effectively Monetize A Site With Ads