Open in app

Sign in

Write

Sign in

AWS & HAProxy

Manoj Kanduri
3 min readSep 5, 2018

--

Why do I need HAProxy in AWS stack?

Some interesting development’s while conducting a successful hack week. I take an account of some charms from AWS world. Task at hand was to develop a Mobile app that will consume secure public API’s hosted in AWS environment. Here are the series of events and evolving integration design in brief — Picture worth a thousand words.

Day 1:

Team had some humiliation in stock to handle at this stage, few questions asked

- Microservices in public subnet?????

- ELB in public??? Where is trust?

You bet!!!

- Here is Multi Region setup with ACL’s separating subnets.

While microservices development were in full swing, few more questions followed

- — How do you trust user accessing the Api Gateway?

- — Service ELB endpoint published in Route 53 is still vulnerable for exploits.

Day 2:

Secured User and user access to app through IDP integration. Access token exchanged over API are validated using AWS lambda implementation of API Gateway-Authorizer. Sanitized traffic at service layer by looking for custom header access_token.

Much Better, but this was not enough.

- Services in Public subnet is unbounded and can be exploited by DDoS.

- Ingress at public subnet should only trust API Gateway.

- Authorizer validation is adding to latency of chatty mobile apps while validating every ingress event.

Day 3:

API Gateway is a AWS managed service with unbounded ingress or egress traffic and no affinity to VPC. It was not possible to configure public services ELB to trust certs generated by API Gateway, so it was time for some reverse Proxy to terminate ingress event and trust incoming traffic limiting to API Gateway as source. HA Proxy was configured to trust API Gateway upstream and ingress ACL’s on service ELB had limited access only to HA Proxy downstream. Authorizer’s cache configuration resolved latency issue.

Day 4:

Noph!!! still not good, and reviewers pointed out open ended API Gateway. Where is firewall?

No Problem, WAF was enabled on Cloudfront distribution of API Gateway for /api.

Day 5:

Much better day, team just had to seed specific WAF rules addressing security concerns.

How is access token disabled?

Everybody settled with 5mins of user access configured on Authorizer as long as service api’s rejects traffic.

Final Thoughts

AWS has its own limitations and naturally there were roadblocks in above hack week journey, but these roadblocks are miniscule when compared to rich features and services provided by AWS. Cloud Services are matured to a state that beginners and first time users of various new services of AWS can learn, grasp and deliver in a short span.

Is it time for 100% cloud? I still have mixed thoughts about it, but it’s time for open platforms to enforce standards and portability of infrastructures.

AWS
Haproxy

--

--

Manoj Kanduri
Manoj Kanduri

Written by Manoj Kanduri

4 Followers
3 Following

Cloud Systems Architect , Software Engineer, Learner

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams