Menu
AWS WAF and AWS Shield Advanced
Developer Guide (API Version 2015-08-24)

Prerequisites

The following tasks are not specifically related to DDoS protection, but are necessary to complete the tutorial.

Sign Up for AWS

When you sign up for Amazon Web Services (AWS), your AWS account is automatically signed up for all services in AWS. You are charged only for the services that you use.

If you have an AWS account already, skip to the next task. If you don't have an AWS account, use the following procedure to create one.

To create an AWS account

  1. Open https://aws.amazon.com/, and then choose Create an AWS Account.

    Note

    This might be unavailable in your browser if you previously signed into the AWS Management Console. In that case, choose Sign In to the Console, and then choose Create a new AWS account.

  2. Follow the online instructions.

    Part of the sign-up procedure involves receiving a phone call and entering a PIN using the phone keypad.

Note your AWS account number, because you'll need it for the next task.

Create an IAM User

To access AWS services and resources, you must provide credentials. Although it’s possible to sign in with the user name and password that you created when you first opened your AWS account, for security purposes we strongly recommend that you create new credentials through the AWS Identity and Access Management (IAM) service, and that you use those credentials to sign in.

If you signed up for AWS but have not created an IAM user for yourself, you can create one using the following procedure.

To create an IAM user for yourself and add the user to an Administrators group

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Users, and then choose Add user.

  3. For User name, type a user name, such as Administrator. The name can consist of letters, digits, and the following characters: plus (+), equal (=), comma (,), period (.), at (@), underscore (_), and hyphen (-). The name is not case sensitive and can be up to 64 characters in length.

  4. Select the check box next to AWS Management Console access, select Custom password, and then type the new user's password in the text box.

  5. Choose Next: Permissions.

  6. On the Set permissions for user page, choose Add user to group.

  7. Choose Create group.

  8. In the Create group dialog box, type the name for the new group. The name can consist of letters, digits, and the following characters: plus (+), equal (=), comma (,), period (.), at (@), underscore (_), and hyphen (-). The name is not case sensitive and can be up to 128 characters in length.

  9. For Filter, choose Job function.

  10. In the policy list, select the check box for AdministratorAccess. Then choose Create group.

  11. Back in the list of groups, select the check box for your new group. Choose Refresh if necessary to see the group in the list.

  12. Choose Next: Review to see the list of group memberships to be added to the new user. When you are ready to proceed, choose Create user.

To sign in as this new IAM user, sign out of the AWS console, then use the following URL, where your_aws_account_id is your AWS account number without the hyphens (for example, if your AWS account number is 1234-5678-9012, your AWS account ID is 123456789012):

https://your_aws_account_id.signin.aws.amazon.com/console/

Enter the IAM user name (not your email address) and password that you just created. When you're signed in, the navigation bar displays "your_user_name @ your_aws_account_id".

To verify the sign-in link for IAM users for your account, open the IAM console and check under IAM users sign-in link on the dashboard.

For more information about IAM, see the IAM User Guide.

Create a Key Pair

A key pair is a set of security credentials that you use to prove your identity. A key pair consists of a private key and a public key that you create. You use your key pair to log in to your Amazon EC2 instance, which is a virtual server in the AWS Cloud. You specify the name of the key pair when you initially launch the instance.

To create a key pair

  1. Sign in to AWS using the URL that you created in the previous section.

  2. From the AWS dashboard, choose EC2 to open the Amazon EC2 console.

  3. From the navigation bar, select a region for the key pair. You can select any region that's available to you, regardless of your location. However, key pairs are specific to a region; for example, if you plan to launch an instance in the US West (Oregon) Region, you must create a key pair for the instance in the US West (Oregon) Region. For this tutorial, consider choosing the US West (Oregon) Region.

    Note

    Later in this tutorial, we use AWS Lambda and Amazon API Gateway, which currently are available only in specific AWS Regions. Therefore, ensure that you select an AWS Region where both Lambda and Amazon API Gateway are available. US West (Oregon), suggested above, supports all the services that are used in this tutorial. For the most current service availability information, see AWS service offerings by region.

  4. In the navigation pane, under NETWORK & SECURITY, choose Key Pairs.

    Tip

    The navigation pane is on the left side of the console. If you do not see the pane, it might be minimized; choose the arrow to expand the pane. You might have to scroll down to see the Key Pairs link.

  5. Choose Create Key Pair.

  6. Type a name for the new key pair in the Key pair name field of the Create Key Pair dialog box, and then choose Create. Use a name that is easy for you to remember, such as your IAM user name, followed by -key-pair, plus the region name. For example, me-key-pair-uswest2.

  7. The private key file is automatically downloaded by your browser. The base file name is the name that you specified as the name of your key pair, and the file name extension is .pem. Save the private key file in a safe place.

    Important

    This is the only chance for you to save the private key file. You must provide the name of your key pair when you launch an instance and the corresponding private key each time you connect to the instance.

For more information, see Amazon EC2 Key Pairs.

Create a Virtual Private Cloud (VPC) with Two Subnets

Amazon VPC enables you to launch AWS resources into a virtual network that you've defined. In this tutorial your VPC will contain the two Amazon EC2 instances that host your website along with two subnets connected to those instances.

For more information about Amazon VPC, see What is Amazon VPC? in the Amazon VPC User Guide.

To create a nondefault VPC

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. From the navigation bar, select a region for the VPC. VPCs are specific to a region, so you should select the same region in which you created your key pair. For this tutorial, we use the US West (Oregon) Region.

  3. On the VPC dashboard, choose Start VPC Wizard.

  4. On the Step 1: Select a VPC Configuration page, ensure that VPC with a Single Public Subnet is selected, and then choose Select.

  5. On the Step 2: VPC with a Single Public Subnet page, specify the following details:

    • For VPC name, type a friendly name for your VPC.

    • For Availability Zone, choose us-west-2a.

    • For Subnet name, type subnet-1.

    • Keep the other default configuration settings.

  6. Choose Create VPC. On the confirmation page, choose OK.

Add a Second Subnet to Your VPC

For increased availability, later in this tutorial you configure a load balancer to use different subnets in two different Availability Zones. When you created your Amazon VPC in the previous step, you created the first subnet in an Availability Zone. You now must add a second subnet in a different Availability Zone. Both Availability Zones must be in the same AWS Region.

To add a second subnet to your Amazon VPC

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Subnets, Create Subnet.

  3. Specify the following subnet details:

    • For Name tag, provide a name for your subnet. For example, type subnet-2. Doing so creates a tag with a key of Name and the value that you specify.

    • For VPC, choose the VPC that you just created in the previous steps.

    • For Availability Zone, choose an Availability Zone that your subnet will reside in. This should be different than the Availability Zone that you created with your VPC earlier in this tutorial. The tutorial used us-west-2a as an example. So this time, choose something other than us-west-2a, such as us-west-2b.

    • For IPv4 CIDR block, specify an IPv4 CIDR block for this second subnet. You must specify an IPv4 CIDR block for the subnet from the range of your VPC. The IP addresses for your two subnets cannot overlap. Assuming you used the defaults when setting up your VPC, your first subnet used CIDR block 10.0.0.0/24. So for this second CIDR block, you can use 10.0.1.0/24. For more information, see VPC and Subnet Sizing for IPv4.

  4. Choose Yes, create.

  5. On the subnets page, choose the first subnet you created, subnet-1.

  6. In the details pane, on the Route Table tab, note the Route Table ID. It starts with rtb-.

  7. On the subnets page, choose the second subnet that you created, subnet-2.

  8. On the details pane, choose Edit.

  9. Your second subnet must use the same route table as your first subnet. For Change to, select the name of the route table that you noted earlier.

  10. Choose Save.

Create a Security Group

Security groups act as a firewall for associated instances, controlling both inbound and outbound traffic at the instance level. You must add rules to a security group that enable you to connect to your instance from your IP address using RDP. You can also add rules that allow inbound and outbound HTTP and HTTPS access from anywhere.

Prerequisites

You need the public IPv4 address of your local computer. The security group editor in the Amazon EC2 console can automatically detect the public IPv4 address for you. Alternatively, you can use the search phrase "what is my IP address" in an internet browser. If you are connecting through an internet service provider (ISP) or from behind a firewall without a static IP address, you must find out the range of IP addresses used by client computers.

To create a security group with least privilege

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. From the navigation bar, select a region for the security group. Security groups are specific to a region, so you should select the same region in which you created your key pair, US West (Oregon).

  3. In the navigation pane, choose Security Groups .

  4. Choose Create Security Group.

  5. Type a name for the new security group and a description. Use a name that is easy for you to remember, such as your IAM user name, followed by _SG_, plus the region name. For example, me_SG_uswest2.

  6. In the VPC list, select the VPC that you created earlier in this tutorial.

  7. On the Inbound tab, create the following rules (choose Add Rule for each new rule):

    • Choose HTTP from the Type list, and make sure that Source is set to Anywhere (0.0.0.0/0).

    • Choose HTTPS from the Type list, and make sure that Source is set to Anywhere (0.0.0.0/0).

    • Choose RDP from the Type list. In the Source box, choose MyIP to automatically populate the field with the public IPv4 address of your local computer. Alternatively, choose Custom and specify the public IPv4 address of your computer or network in CIDR notation. To specify an individual IP address in CIDR notation, add the routing suffix /32, for example, 203.0.113.25/32. If your company allocates addresses from a range, specify the entire range, such as 203.0.113.0/24.

      Warning

      For security reasons, we don't recommend that you allow RDP access from all IPv4 addresses (0.0.0.0/0) to your instance, except for testing purposes and only for a short time.

  8. After you have added all of the rules, choose Create.

Next: Step 1: Launch a Virtual Server Using Amazon EC2.