Skip to content

Basic concepts of the ALB WAF

Last updated on

A web application firewall acts as a security shield for your web applications. Operating at Layer 7 (the application layer), the ALB WAF inspects incoming traffic and blocks malicious requests such as bots, and common exploits before they can harm your backend services. It ensures safe traffic passes through while keeping threats at bay.

The STACKIT ALB WAF is powered by the high performance Coraza engine and integrates seamlessly with the STACKIT Application Load Balancer (ALB).

To see, which features the STACKIT ALB WAF currently supports, check out the ALB WAF features overview.

Understanding how the ALB WAF processes and references objects is key to configuring your security policies.

The ALB WAF config is the central configuration object that holds your firewall settings. It serves as a container where you reference your desired managed rule sets or custom rule groups.

  • Limits: By default, you can store up to 150 unique ALB WAF configs per project.
  • Scope: A single ALB WAF config can be assigned to multiple listeners.

Managed rule sets are pre-configured, rule collections that protect against widespread vulnerabilities. The first and primary collection is the OWASP Core Ruleset (CRS), which protects your applications against the OWASP Top 10 threats (including SQL Injection and Cross-Site Scripting).

  • Customization: Instead of writing complex rules from scratch, you can globally enable, disable, or log individual rules within the managed set with the API.

Custom rule groups allow you to define collections of specialized security rules tailored to your needs.

  • Abstracted Layout: To reduce complexity, rules are configured using a structured JSON model with the API.
  • Limits: By default, you can store up to 150 unique custom rule configurations per project.
  • Evaluation Order: Custom rules are evaluated before managed rule sets, allowing you to define exceptions or whitelist specific payloads early in the inspection chain.

ALB WAF protection is activated on a per-listener basis. An ALB listener holds a property field called wafConfigName. When this reference is populated with a valid ALB WAF config name, the firewall immediately starts inspecting all traffic passing through that specific port.

Applying ALB WAF protection to your Application Load Balancer follows a structured three-step life cycle.

  1. Create your rules: Before creating your ALB WAF config, you must configure at least one of the following:

    • Managed Rule Set: configure your baseline protection rules (for example, OWASP CRS).
    • Custom Rule Group: Define your custom rule group that you want to use.
  2. Assemble the ALB WAF config: Create your main ALB WAF config entity. In your API request body, assign a unique name to the config and link the identifiers of the managed rule sets or custom rule groups you created in the first step.

  3. Associate the ALB WAF config with an ALB listener: Activate the firewall by binding your config to the Application Load Balancer:

    • When creating or updating an ALB listener, provide your ALB WAF config name in the wafConfigName field within the listener’s configuration block.
    • The ALB will automatically initialize the Coraza engine and apply your ALB WAF config to the listener traffic path.