Wallarm extends AWS API security with the official Terraform module

Wallarm API Security solution is now available in AWS as an official Terraform module, with a full feature set including autoscaling groups, API Gateway connector, mirroring, and agentless (out-of-band) deployments. 

To address modern cloud-native threats, API security vendor Wallarm released extended support for AWS deployment options. The latest release is available in the official registry and requires Terraform version 1.0.5 and higher. 

Wallarm is now available in AWS as agentless (VPC out-of-band), inline proxy, and HTTP mirroring deployments.

Agentless API security deployment in AWS

Out-of-band deployment allows organizations to get API discovery and API threat detection capabilities with no changes in their infrastructure. Using VPC, Wallarm processes traffic in the asynchronous mode (preset-mirror) without affecting the current traffic flow, latency, and overall performance of API backends..

Wallarm API Security solution is deployed as a separate network layer that enables companies to configure it independently from other layers and place the layer in almost any network tier. However, the recommended place is in the private network.

The deployment schema for out-of-band Wallarm deployment looks like the following:

This solution is based on the AWS VPC Traffic Mirroring feature and does not affect network nor API performance.

Securing AWS API Gateway with Wallarm

The same Wallarm Terraform module can be used to protect any API endpoints in inline/proxy mode, including endpoints configured at the AWS API Gateway. 

Solution deployment schema in this case looks like:

Wallarm autoscaling group in this case terminates HTTPS connections themselves and then forwards only legitimate traffic to AWS API Gateway or backends directly. 

API Gateway configuration example is available at the official Terraform registry: https://registry.terraform.io/modules/wallarm/wallarm/aws/0.9.3/examples/apigateway 

Mirroring traffic mode for AWS

The third deployment option for Wallarm in AWS is traffic mirroring. This schema is convenient for hybrid environments with high restrictions for inline security solutions.

This deployment is based on a built-in feature of Load Balancers and API Gateways, such as NGINX, Istio, Trafik, HAproxy, Envoy, Kong, and others – to send copies of incoming API requests and responses to a separate backend.

In this case, the deployment looks like the following: 

Traffic mirroring does not affect API performance but may result in additional resource usage at the API Gateway/Load Balancer instances caused by copying requests. 

Conclusion

Organizations looking to extend API Security in their AWS infrastructures now have several new options leveraging an official Terraform module from Wallarm. Several different deployment options are available -- including agentless (out-of-band VPC mirroring), inline proxy, and HTTP mirroring -- to support specific architectural and security needs. While each approach has its place and attendant pros & cons, none of them negatively impact API performance. The combination of ease of deployment in AWS environments and enhanced security means both reduced risk and improved service delivery via APIs.