Skip to content

Deploying Wallarm OOB for NGINX, Envoy and Similar Mirroring using Terraform Module

This article demonstrates the example on how to deploy Wallarm to AWS as an Out-of-Band solution using the Wallarm Terraform module. It is expected that NGINX, Envoy, Istio and/or Traefik provides traffic mirroring.

Use cases

Among all supported Wallarm deployment options, Terraform module is recommended for Wallarm deployment on AWS VPC in these use cases:

  • Your existing infrastructure resides on AWS.

  • You leverage the Infrastructure as Code (IaC) practice. Wallarm's Terraform module allows for the automated management and provisioning of the Wallarm node on AWS, enhancing efficiency and consistency.


  • Terraform 1.0.5 or higher installed locally

  • Access to the account with the Administrator role in Wallarm Console in the US or EU Cloud

  • Access to if working with US Wallarm Cloud or to if working with EU Wallarm Cloud. Please ensure the access is not blocked by a firewall

Solution architecture

Wallarm for mirrored traffic

This example Wallarm solution has the following components:

  • Internet-facing load balancer routing traffic to the Wallarm node instances. It is expected that a load balancer has been already deployed, the wallarm module will not create this resource.

  • Any web or proxy server (e.g. NGINX, Envoy) serving traffic from a load balancer and mirroring HTTP requests to an internal ALB endpoint and backend services. It is expected that a the component used for traffic mirroring has been already deployed, the wallarm module will not create this resource.

  • An internal ALB accepting mirrored HTTPS requests from a web or proxy server and forwarding them to the Wallarm node instances.

  • Wallarm node analyzing requests from an internal ALB and sending malicious traffic data to the Wallarm Cloud.

    The example runs the Wallarm nodes in the monitoring mode that drives the described behavior. If you switch the mode to another value, nodes continue to only monitor the traffic as the OOB approach does not allow attack blocking.

The last two components will be deployed by the provided wallarm example module.

Code components

This example has the following code components:

  • the main configuration of the wallarm module to be deployed as a mirror solution. The configuration produces an internal AWS ALB and Wallarm instances.

Running the example Wallarm mirror solution

To run the example Wallarm mirror solution, you need to configure HTTP request mirroring and then deploy the solution.

1. Configuring HTTP request mirroring

Traffic mirroring is a feature provided by many web and proxy servers. The link provides the documentation on how to configure traffic mirroring with some of them.

2. Deploy the example Wallarm mirror solution

  1. Sign up for Wallarm Console in the EU Cloud or US Cloud.

  2. Open Wallarm Console → Nodes and create the node of the Wallarm node type.

  3. Copy the generated node token.

  4. Clone the repository containing the example code to your machine:

    git clone
  5. Set variable values in the default options in the examples/mirror/ file of the cloned repository and save changes.

  6. Deploy the stack by executing the following commands from the examples/mirror directory:

    terraform init
    terraform apply

To remove the deployed environment, use the following command:

terraform destroy