Skip to content

Terraform Module for Web Server Traffic Mirroring

This article demonstrates the example on how to deploy Wallarm to AWS as an Out-of-Band solution using the Wallarm Terraform module. It is expected that the NGINX, Envoy, Istio and/or Traefik web server provides traffic mirroring.

Key characteristics

  • Wallarm processes traffic in the asynchronous mode (preset=mirror) without affecting the current traffic flow which makes the approach the safest one.

  • Wallarm solution is deployed as a separate network layer that enables you to control it independently from other layers and place the layer in almost any network structure position. The recommended position is in the private network.

Solution architecture

Wallarm for mirrored traffic

This example Wallarm solution has the following components:

  • Internet-facing load balancer routing traffic to the Wallarm node instances. It is expected that a load balancer has been already deployed, the wallarm module will not create this resource.

  • Any web server serving traffic from a load balancer and mirroring HTTP requests to an internal ALB endpoint and backend services. It is expected that a web server has been already deployed, the wallarm module will not create this resource.

  • An internal ALB accepting mirrored HTTPS requests from a web server and forwarding them to the Wallarm node instances.

  • Wallarm node analyzing requests from an internal ALB and sending malicious traffic data to the Wallarm Cloud.

    The example runs the Wallarm nodes in the monitoring mode that drives the described behavior. If you switch the mode to another value, nodes continue to only monitor the traffic as the OOB approach does not allow attack blocking.

The last two components will be deployed by the provided wallarm example module.

Code components

This example has the following code components:

  • the main configuration of the wallarm module to be deployed as a mirror solution. The configuration produces an internal AWS ALB and Wallarm instances.

Configuring HTTP request mirroring

Traffic mirroring is a feature provided by many web servers. The link provides the documentation on how to configure traffic mirroring with some of them.


Despite the fact that the described example solution is the most functional Out-of-Band Wallarm solution, it has some limitations inherent in the asynchronous approach:

  • Wallarm node does not instantly block malicious requests since traffic analysis proceeds irrespective of actual traffic flow.

  • The solution requires an additional component - the web server providing traffic mirroring or a similar tool (e.g. NGINX, Envoy, Istio, Traefik, custom Kong module, etc).

Running the example Wallarm mirror solution

  1. Sign up for Wallarm Console in the EU Cloud or US Cloud.

  2. Open Wallarm Console → Nodes and create the node of the Wallarm node type.

  3. Copy the generated node token.

  4. Clone the repository containing the example code to your machine:

    git clone
  5. Set variable values in the default options in the examples/mirror/ file of the cloned repository and save changes.

  6. Deploy the stack by executing the following commands from the examples/mirror directory:

    terraform init
    terraform apply

To remove the deployed environment, use the following command:

terraform destroy