Barracuda WAF extends AWS support with CloudFormation Templates and Auto Scaling
The Barracuda Web Application Firewall (WAF) now supports automated deployments on AWS using CloudFormation Templates. In addition, the Barracuda WAF also integrates with AWS CloudWatch and AWS Simple Notification Service (SNS) to perform auto-scaling actions. To ensure secure deployments, the Barracuda WAF integrates with the AWS IAM and STS services.
The Barracuda WAF provides security and DDOS protection against automated and targeted attacks.
AWS CloudFormation Templates allow DevOps teams to automate application deployment, from the initial setup of your VPC to installation of specific software and scaling policies. Auto-Scaling, based on the policies, allows you to adjust the size of the deployment to optimal levels based on your need.
CloudFormation Templates can setup an entire AWS deployment with all the resources required for the deployment. A CloudFormation Template could, for instance, setup an AWS Virtual Private Cloud (VPC), and bring up your chosen EC2 instances within this cloud. It would then download the required packages and perform configuration tasks to bring up your application from end-to-end with the AWS infrastructure. Essentially, this means that once you create the CloudFormation Template, you do not have to do any further manual actions – it takes care of the full deployment by itself.
AWS CloudWatch is a monitoring system. CloudWatch is configured to monitor specific metrics (such as CPU, network bandwidth etc.,) of instances and set off alarms when thresholds are breached. This system typically is configured to work together with the AWS Simple Notification Service. The SNS system is capable of sending across alerts through email, SMS, etc. These alerts can be used to trigger actions on the AWS system and perform auto-scaling actions.
Auto Scaling is the process by which new instances are added or removed from an AWS deployment. These additions and removals can be performed based on CloudWatch alarms or based on a Schedule. Instances that are grouped together for Auto Scaling (such as a cluster of WAFs serving a website) are part of an Auto Scaling Group. Auto Scaling groups are tied to a Launch Configuration. The Launch Configuration provides all the information required to launch an image, such as the VPC, the instances to be launched, the number of instances, etc.
The Barracuda Web Application Firewall now supports CloudFormation deployments and auto scaling on AWS. With this support, the DevOps team can integrate the Barracuda WAF as a part of their deployment process. The Barracuda WAF instance(s) will be initialized with the configurations you choose and scale up or down along with the rest of your servers. Cost and performance optimizations are possible using scaling policies based on CPU usage, bandwidth, and schedules.
Event or schedule-based auto scaling is accomplished using the AWS CloudWatch Alarms. The Barracuda WAF deployed with CloudWatch Alarms, provides the administrator with additional monitoring capabilities; CPU and Bandwidth metrics are continually reported to the CloudWatch system enabling the administrator to monitor the performance of the deployed instances.
CloudWatch Alarms that are set for the auto scaling policies use the AWS SNS to send out notifications on chosen channels (email, SMS, etc) to the administrators as well. These will notify admins of auto scaling events in the group.
In addition to Auto Scaling, the Barracuda WAF adds support for Bootstrapping. Admins can define the base configuration of the first WAF on the CloudFormation Template. Once the initial instance is up and bootstrapped, any other instances that are brought up will synchronize their configuration with this instance and serve traffic within minutes of booting up, without any administrator intervention. Configuration change on any one instance in the cluster propagates the changes across all the other clustered instances.
Auto Scaling improves the availability of your deployment on AWS. A single Auto Scaling group can be deployed across multiple Availability Zones in a region, allowing business continuity in case an Availability Zone has reachability problems. If you choose to deploy in a different region, you can replicate this deployment easily using the CloudFormation Templates – increasing disaster recovery capabilities.
The Barracuda Web Application Firewall can also be deployed across Availability Zones in Auto Scaling groups. It works seamlessly with this deployment model without any additional configuration or administrative intervention.
As seen in the diagram, the Barracuda WAF uses AWS S3 to store clustering information. To secure this bucket against unwanted attacks, the Barracuda WAF integrates with AWS IAM roles. During launch, an IAM role is created with limited access to the S3 bucket. Access to this bucket is provided using the AWS Security Token Service, which provides short-term tokens to access the S3 bucket. The tokens provided are generated dynamically and come with an expiry time to avoid misuse.
Barracuda TechLibrary Documentation – details on this integration, as well as links to other resources.
Barracuda Web Application Firewall product site – complete details on the Barracuda WAF, including technical specifications and case studies.
Barracuda WAF Evaluation Request – request a risk-free, 30-day evaluation of the Barracuda WAF.
Barracuda WAF in the AWS Marketplace – request one instance of a 30-day free trial. This is an hourly AMI subscription upon expiration.
Barracuda Community Forums for the Barracuda WAF – provide feedback and suggestions, and ask questions about the product.
Barracuda Vulnerability Manager (BVM) – The BVM and the Barracuda WAF provide a comprehensive solution that detects and secures against web application threats.
Barracuda AWS solution site – An explanation of the AWS shared security model and how Barracuda can help you keep your assets secure.
Amazon Web Services – Amazon corporate site with more information on AWS and the technologies mentioned in this post.
AWS Shared Security Model – A video explaining the distinctions between Amazon security and customer security responsibilities.
Tushar Richabadas is a Product Manager for the Barracuda Web Application Firewall team in our India office. You can connect with him on LinkedIn here.
Note: This was originally published on February 20, 2016
Tushar Richabadas is a Product Manager for the Barracuda Web Application Firewall and Barracuda Load Balancer ADC. His current areas of focus are Cloud and automation. His prior roles ranged from leading networking product testing teams and technical marketing for HCL-Cisco. Tushar closely tracks the rapidly increasing impact of digital security and is passionate about simplifying digital security for everyone.