Blog

INTEGRATING CLOUDFLARE with AWS

Mariya Grudeva
Mariya Grudeva
DevOps and Cloud Engineer
06.07.2023
Reading time: 5 mins.
Last Updated: 03.01.2024

Table of Contents

One of the most important things, while you are online, is to make sure that you are secure. Whether you are a DevOps, System Administrator, Developer, or simply a user of a particular application, you need to ensure your data is secure. If you are a user you can protect yourself on a best-effort basis, use VPN when you are connected to public networks, employ different passwords for the various applications, and update your software regularly. 

However, if you are a DevOps engineer, System Administrator, Developer, or someone that has an application online it’s a bit different. You have to make sure that your clients are protected. This requires implementing robust measures, including: 

  • Ensuring applications are safely protected behind a firewall
  • Keeping all parts of the infrastructure up to date
  • Staying informed about and addressing new vulnerabilities to prevent potential threats to applications
  • Anticipating and defending against potential Distributed Denial of Service (DDoS) attacks

One highly recommended solution for application protection is CloudFlare. They offer one of the best DDoS protection systems that’s easy to set up. Utilizing their firewall, users can safeguard their websites effectively. CloudFlare provides separate rules to defend against various vulnerabilities, which can be reviewed and easily enabled and disabled depending on what you need. 

What is CloudFlare?

CloudFlare is a company that delivers a variety of services such as DNS, CDN, DDoS protection, and many more, which has one of the most extensive networks worldwide. It’s used mainly for increasing the security and performance of websites and services.

CloudFlare offers a variety of different services, including the following:

  • Content Delivery Network (CDN)
  • Domain Name System (DNS)
  • Load Balancing
  • Accelerated Mobile Pages (AMP)
  • Caching possibilities
  • Video Streaming
  • DDoS-protection
  • Web Application Firewall (WAF)
  • SSL/TLS-support
  • DNSSEC
  • Analytics
  • Domain registrar
  • Workers (for developers)

How does CloudFlare work?

CloudFlare works as a content delivery network (CDN) and security provider for websites. It operates by caching website content and distributing it through a global network of servers. When a user accesses a website protected by CloudFlare, their request is redirected to the nearest CloudFlare server, which serves the cached content and filters out malicious traffic. This improves website performance and enhances security by protecting against online threats, such as DDoS attacks and malware. Additionally, CloudFlare offers various security and performance optimization services, such as load balancing, SSL certificates, and firewall protection.

Integrating CloudFlare with AWS

The first thing that you need to consider prior is what services you need to use and to choose your plan. You have a couple of options, depending on the use case you need to validate: a free plan, pro, business, and enterprise. For example, the free plan is perfect for initial setups, testing purposes, and getting familiar with the platform. It includes DNS, Unmetered DDoS Protection, CDN, Universal SSL Certificate, and Free Managed Ruleset, 3 Page Rules, and Simple Bot Mitigation. However, if you need more features or support from their end you would need to review their plans and see which one fits your use case the best. 

The second thing to be considered here is that you need to move your DNS zone to CloudFlare and manage it from their control panel. You also need to be careful with migrating the DNS records, from AWS’s route 53 to CloudFlare. CloudFlare does have an automatic tool that picks up all records for the domain name and creates them in their zone however, if you are using Alias/CNAME records in Route53 you would need to add them manually, as the CloudFlare tool fails to convert them from Alias to CNAME records and tries to add them as A records. 

When you start using CloudFlare you will notice that they have 2 options for using their DNS. The first choice is “Only DNS” and the second is “proxied”, which allows rerouting the traffic through their server and enables DDoS protection and CDN. Unfortunately, there is no way to disable the CDN, except disabling the proxying and using DNS. Yet, this option will leave you without the DDoS protection. Keep in mind that internal endpoints need to remain un-proxied, as otherwise, you won’t be able to access them.

Migrating from AWS’s WAF to CloudFlare’s WAF

Moving rules from AWS’s WAF to Cloudfalre’s WAF is really easy, once you have logged in CloudFlare’s control you need to choose the domain for which you would like to add the rules {Go to Security –> WAF –> Create rule}. From there you can create rules for blocking particular IP addresses, cookies from being used, countries, or whole continents. Another option is to block by requests method – known bots can be blocked as well. You can also take other steps, such as logging the requests or employing managed challenges, JS challenges, or interactive challenges. However, if you agree that by directly blocking the requests you might also block actual traffic. 

CloudFlare’s SSL Certificates 

Each of CloudFlare’s plans includes a free SSL certificate that is called “Let’s Encrypt” and is only valid for three months before it needs to be renewed. Furthermore, another advantage is that the renewal is automatic and continues to be free. Despite the benefits, a downside to using a free SSL certificate is if you need to customize the ciphers that the certificate is using. Unfortunately using the free certificate is not possible. However, buying one of their advanced certificates, will remove the unnecessary ciphers using their API:

curl -X PATCH \
  "https://api.cloudflare.com/client/v4/zones/<zone_id>/settings/ciphers" \
  -H "X-Auth-Email: <auth_email>" \
  -H "X-Auth-Key: <auth_key>" \
  -H "Content-Type: application/json" \
  --data '{"value": <cipher_suites>}'

TLS 

CloudFlare also makes it easy to manage the TLS versions that you are using. They have all versions of TLS available including TLS 1.0 in case you need to use it. By default, you have TLS 1.3 enabled and the minimum version of TLS set to 1.0 however, if you need to update either the minimum version used or to disable TLS 1.3 it’s really easy to do so. You can log in to your CloudFlare dashboard, select the domain for which you want to perform the changes, and go to SSL/TLS Edge Certificates, scroll a bit down and you will see the options to disable the TLS 1.3 versions and change the minimum TLS version.

Potential problems after integrating CloudFlare

If you have domains associated with an AWS’s WAF a potential problem that can occur when the records are proxied is the WAF blocking CloudFlare’s traffic and blocking access to the domains. Simply disassociate the domains from the WAF and they should start loading correctly. 

Another problem that can occur is a bad cache, as there is no way to disable CloudFlare’s CDN. You would need to clear the cache when making changes to your applications, especially to the front end of the application. One way can be to use their dashboard directly and purge the cache manually. Or you can automate this and use a script similar to this one:

print ("Starting CloudFlare invalidation")
def clear_cloudflare_cache(requests):
    url = "API URL"
    headers = {
        "X-Auth-Email": "",
        "X-Auth-Key": "",
        "Content-Type": "application/json"
                }
    data = '{"purge_everything": true }'
    response = requests.delete(url, headers=headers, data=data)
    return response
print ("Finishing CloudFlare invalidation")

Conclusion

In summary, integrating CloudFlare with AWS empowers businesses to strengthen their online security, optimize performance, and streamline management processes. By leveraging CloudFlare’s comprehensive suite of services, users can create a reliable online presence. Nevertheless, potential problems could arise, when the records are proxied or have a bad cache. Anyhow, by automating simple manual processes using script, no issues ought to occur.

Leave a Reply

Your email address will not be published. Required fields are marked *

More Posts

In the dynamic world of serverless computing, securing your AWS Lambda function is crucial. However, one often neglected area is the security of containerized applications in Amazon Elastic Container Registry...
Reading
Note: The following example demonstrates upgrading a Kubernetes cluster from version 1.23 to 1.24. Replace the version numbers according to your specific setup. To ensure a seamless upgrade, it’s crucial...
Reading
Get In Touch
ITGix provides you with expert consultancy and tailored DevOps services to accelerate your business growth.
Newsletter for
Tech Experts
Join 12,000+ business leaders and engineers who receive blogs, e-Books, and case studies on emerging technology.