How To: Redirect a Root Domain to a Subdomain Protected by WAF SaaS

Goal: Provide a static IP address to update root domain DNS settings to redirect to a subdomain protected by our Web Application Firewall, typically "www.".

Overview:

Setup a Network Load Balancer (NLB) with two static IPs:

Static_IP_1 (e.g., 192.0.2.10)
Static_IP_2 (e.g., 192.0.2.20)

The NLB redirects the traffic to ALB

This guide will walk you through obtaining a certificate for your root domain, configuring an Application Load Balancer (ALB) rule for the redirect, and verifying the setup.

Step 1: Request a Certificate for the Root Domain

Navigate to AWS Certificate Manager (ACM).
Request a new certificate for your root domain (e.g., example.com).
1. Click on "Request a certificate", then select "Request a public certificate" and follow the prompts.
2. For Domain name, enter your root domain.
3. Choose DNS validation for the validation method.
Find your Validation Challenge: Add the DNS validation record provided by ACM to your DNS configuration to complete the validation process. (CNAME name and CNAME value). You can find this in ACM -> Certificates -> <your certificate> :
Wait until the Certificate is Validate It may take some time for DNS changes to propagate and for ACM to validate the certificate. Monitor the certificate status in ACM.

Step 2: Add a Rule in the ALB

Navigate to your ALB in the EC2 Management Console.
Select the listener that handles incoming requests for your domain.
Add a new rule to redirect requests from the root domain to the subdomain.
1. Condition: host header match to your root domain
2. Action: Redirect to the subdomain with appropriate protocol (HTTP or HTTPS), port and path.

Step 3: Add certificate

In the ALB screen click on certificates tab and then add certificate:

Then find the certificate you have added in step 1.

Step 4: Add Relevant Tags in Rule

Tagging rules can help with organization and billing. Add any relevant tags as per your organization's tagging strategy.
add the relevant tags as the other rules

Step 5: Test

To test the redirect, use the following curl commands:

curl --resolve example.com:443:Static_IP_1 https://example.com -v
curl --resolve example.com:443:Static_IP_2 https://example.com -v

Replace example.com with your actual root domain and Static_IP_1 and Static_IP_2 with the static IP addresses of your Network Load Balancer (e.g., 192.0.2.10 and 192.0.2.20).

The expected result is a 301 redirect response pointing to the subdomain.