Hey David! We use CloudFlare <http://cloudflare.com> for our DNS and CDN. CloudFlare accepts all our traffic then routes it to the Elastic Load Balancers in front of our Elastic Beanstalks. We use a VPC to only allow incoming traffic from CloudFlare IP addresses. If you were to know our Beanstalk IP addresses (e.g. by guessing), any traffic you throw at it is handled by Amazon Network Hardware that enforces the VPC. In our tests, the Beanstalk servers receive absolutely no load when traffic outside of CloudFlare attempts to connect. This means that CloudFlare is able to offer us robust protection against malicious activity and DDoS.
We use an autoscaling group of Squid Proxies for traffic from the Beanstalk servers to the outside world (e.g. connecting to APIs). That hides our Beanstalk IP addresses on the outgoing side. So basically putting servers behind Amazon VPCs that are only accessed via CloudFlare is really effective. We were able to pass a major security audit last Fall with this setup. - Ken On Tue, Mar 10, 2015 at 10:29 AM, David Skinner <[email protected]> wrote: > We host our PHP application on AWS. I'm looking for recommendations for a > firewall solution for the EC2 instances. What are some solutions that have > worked well for you? Does anyone have any recommendations? Are there some > solutions that work better than others in a High Availability > configuration? > > Thanks, > > David > > _______________________________________________ > > UPHPU mailing list > [email protected] > http://uphpu.org/mailman/listinfo/uphpu > IRC: #uphpu on irc.freenode.net > _______________________________________________ UPHPU mailing list [email protected] http://uphpu.org/mailman/listinfo/uphpu IRC: #uphpu on irc.freenode.net
