{"id":20329751,"url":"https://github.com/f5devcentral/aws-waf-solution-template","last_synced_at":"2025-08-23T19:02:11.316Z","repository":{"id":45066100,"uuid":"366828907","full_name":"f5devcentral/aws-waf-solution-template","owner":"f5devcentral","description":null,"archived":false,"fork":false,"pushed_at":"2022-01-11T12:31:23.000Z","size":382,"stargazers_count":8,"open_issues_count":4,"forks_count":7,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-04-11T20:53:02.297Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/f5devcentral.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"code_of_conduct.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-05-12T19:19:19.000Z","updated_at":"2023-08-07T19:01:34.000Z","dependencies_parsed_at":"2022-09-16T14:01:28.801Z","dependency_job_id":null,"html_url":"https://github.com/f5devcentral/aws-waf-solution-template","commit_stats":null,"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/f5devcentral/aws-waf-solution-template","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/f5devcentral%2Faws-waf-solution-template","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/f5devcentral%2Faws-waf-solution-template/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/f5devcentral%2Faws-waf-solution-template/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/f5devcentral%2Faws-waf-solution-template/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/f5devcentral","download_url":"https://codeload.github.com/f5devcentral/aws-waf-solution-template/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/f5devcentral%2Faws-waf-solution-template/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":265829157,"owners_count":23835089,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-14T20:13:21.360Z","updated_at":"2025-07-18T20:36:25.156Z","avatar_url":"https://github.com/f5devcentral.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Overview\n\nDeployment of production grade WAF is challenging. Usually it takes at least several weeks for an average team to learn, design, implement and automate a WAF deployment. However, system design principles are always the same and every team ends up building a similar system.\n\nThe main purpose of this project is to provide an AWS CloudFormation template that follows system design principles and deploys complete, production grade WAF solution to AWS cloud. \n\n# Solution Overview\n\nThe idea behind this solution is to provide a production grade WAF data plane and streamline day to day WAF operations via user friendly interfaces for configuration and visibility. Following picture represents high level architecture.\n\n![High-Level Architecture](images/high-level-architecture.png)\n\nSolution consists of three main components:\n1. WAF data plane\n2. Interface for WAF configuration \n3. Interface for WAF visibility\n\nData plane uses official NGINX App Protect AMIs as a WAF engine. It is fully maintenance-less, automated and auto-scales up and down based on amount of traffic flying through.\n\nGitOps is used as configuration approach. AWS CodeCommit git repo contains default configuration for a WAF. After that every configuration change user commits in git automatically applies to the running WAF data plane.\n\nData plane VMs continiously send logs and metrics to AWS CloudWatch. It in turn provides a dashboard with detailed visibility to WAF security and performace.\n\nTherefore, the solution allows to use a WAF from day zero. It provides maintnaince free data plane, convinient tool for configuration management, and complehensive visibility to the system.\n\n# Deployment Model\n\nTemplate deploys a WAF into a separate AWS VPC, therefore deployment model becomes similar to SaaS.\n\n![Deployment model](images/deployment-model.png)\n\nIn which case all traffic arriving from users gets inspected and then forwarded to one or more applications regardless of their location.\n\n# Getting Started\n\n## Deployment\n\nDeployment process is standard as for any other CloudFormation template. The deployment requires subscription to [NGINX Plus with NGINX App Protect Developer - Ubuntu 18.04](https://aws.amazon.com/marketplace/pp/prodview-xogyq23b3mfge)\n\n1. Download template from `templates` folder to your filesystem\n2. Open AWS CloudFormation console and click \"Create Stack\"\n3. Select \"Upload from a template file\" and upload template from local filesystem\n4. Give stack a name. All other parameters are optional.\n5. Set a checkbox against \"I acknowledge that AWS CloudFormation might create IAM resources with custom names.\"\n6. Click create stack.\n\nOr click the button below:\n\n[![Launch Stack](https://s3.amazonaws.com/cloudformation-examples/cloudformation-launch-stack.png)](https://console.aws.amazon.com/cloudformation/home?#/stacks/new?stackName=NAP\u0026templateURL=https://aws-waf-solution-template.s3.amazonaws.com/release/latest/modules/quickstart/nap-autoscale-ubuntu-dev.yaml)\n\nOr use following command to create a stack using aws cli:\n```\n$ aws cloudformation create-stack --stack-name NAME_OF_YOUR STACK \\\n    --capabilities CAPABILITY_NAMED_IAM \\\n    --template-body https://aws-waf-solution-template.s3.amazonaws.com/release/latest/modules/quickstart/nap-autoscale-ubuntu-dev.yaml \\\n    --parameters ParameterKey=sshKey,ParameterValue=YourSshKey\n```\n\n## Operations\n\nOnce stack deploys successfully you can access, configure and monitor the WAF deployment.\n\n### Access\n\nNavigate to \"CloudFormation -\u003e Your Stack -\u003e Outputs\" and click on \"AppProtectLBDNSName\". WAF returns a default static page.\n\n### Configuration\n\nNavigate to \"AWS CodeCommit Service -\u003e nap-AppProtectRepo\". NGINX configuration locates at \"files/etc/nginx/nginx.conf\". App Protect configuration lives in \"files/etc/app_protect\". Modify these files in the same way you would do for standalone NGINX and commit changes. New configuration will be applied to the data plane automatically. You can monitor config deployment process in \"AWS CodePipeline Service -\u003e nap-AppProtectPipeline\"\n\n### Monitoring\n\nOpen \"AWS Cloudwatch -\u003e Dashboards -\u003e nap-AppProtectDashboard\". This dashboard contains various security and performance related data.\n![Dashboard](images/dashboard.png)\n\n# Contributing\n\nThis is a community project. Everyone is welcome to contribute.\n\n# Community Code of Conduct\n\nPlease refer to the [F5 DevCentral Community Code of Conduct](code_of_conduct.md).\n\n# Support\n\nFor support, please open a GitHub issue.  Note, the code in this repository is community supported and is not supported by F5 Networks.\n\n# License\n\n## Apache V2.0\n\nLicensed under the Apache License, Version 2.0 (the \"License\"); you may not use\nthis file except in compliance with the License. You may obtain a copy of the\nLicense at\n\nhttp://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and limitations\nunder the License.\n\n# Copyright\n\nCopyright 2014-2020 F5 Networks Inc.\n\n## F5 Networks Contributor License Agreement\n\nBefore you start contributing to any project sponsored by F5 Networks, Inc. (F5) on GitHub, you will need to sign a Contributor License Agreement (CLA).\n\nIf you are signing as an individual, we recommend that you talk to your employer (if applicable) before signing the CLA since some employment agreements may have restrictions on your contributions to other projects.\nOtherwise by submitting a CLA you represent that you are legally entitled to grant the licenses recited therein.\n\nIf your employer has rights to intellectual property that you create, such as your contributions, you represent that you have received permission to make contributions on behalf of that employer, that your employer has waived such rights for your contributions, or that your employer has executed a separate CLA with F5.\n\nIf you are signing on behalf of a company, you represent that you are legally entitled to grant the license recited therein.\nYou represent further that each employee of the entity that submits contributions is authorized to submit such contributions on behalf of the entity pursuant to the CLA.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ff5devcentral%2Faws-waf-solution-template","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ff5devcentral%2Faws-waf-solution-template","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ff5devcentral%2Faws-waf-solution-template/lists"}