Centinel AnalyticaCentinel Analytica
Platforms

AWS Application Load Balancer (ALB)

Deploy Centinel Analytica on AWS Application Load Balancer using Lambda middleware.

Overview

This guide shows you how to protect an AWS Application Load Balancer with Centinel. The Lambda middleware validates requests through the Centinel API before they reach your backend.

Prerequisites

  • Centinel secret key (from your dashboard)
  • AWS CLI configured with credentials
  • Backend service URL to protect
  • AWS permissions for Lambda, ALB, EC2, and IAM

Installation

Prepare the Lambda package
  1. Download centinel-alb.js
  2. Open the file and set: 
    const CENTINEL_SECRET_KEY = "sk_live_your_key_here";
const BACKEND_URL = "https://your-backend.com";
  3. Zip the file: 
    zip centinel-alb.zip centinel-alb.js
Create the Lambda function

Using AWS Console:

  1. Go to Lambda → Create function
  2. Choose Author from scratch
  3. Function name: centinel-alb
  4. Runtime: Node.js 20.x
  5. Create the function
  6. Upload centinel-alb.zip via Code → Upload from → .zip file
  7. Under Configuration → General configuration, set:
    • Timeout: 30 seconds
    • Memory: 256 MB

Using AWS CLI:

# Create execution role
aws iam create-role \
  --role-name centinel-alb-role \
  --assume-role-policy-document '{
    "Version": "2012-10-17",
    "Statement": [{
      "Effect": "Allow",
      "Principal": {"Service": "lambda.amazonaws.com"},
      "Action": "sts:AssumeRole"
    }]
  }'

# Attach basic execution policy
aws iam attach-role-policy \
  --role-name centinel-alb-role \
  --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole

# Create Lambda function
aws lambda create-function \
  --function-name centinel-alb \
  --runtime nodejs20.x \
  --role arn:aws:iam::YOUR_ACCOUNT_ID:role/centinel-alb-role \
  --handler centinel-alb.handler \
  --zip-file fileb://centinel-alb.zip \
  --timeout 30 \
  --memory-size 256 \
  --region eu-central-1
Create Application Load Balancer

Using AWS Console:

  1. Go to EC2 → Load Balancers → Create Load Balancer
  2. Choose Application Load Balancer
  3. Name: centinel-alb
  4. Scheme: Internet-facing
  5. Select your VPC and at least 2 availability zones
  6. Create or select a security group that allows HTTP (80) and HTTPS (443)
  7. Create the load balancer

Using AWS CLI:

# Get VPC and subnets
VPC_ID=$(aws ec2 describe-vpcs \
  --filters "Name=is-default,Values=true" \
  --query 'Vpcs[0].VpcId' \
  --output text)

SUBNET_IDS=$(aws ec2 describe-subnets \
  --filters "Name=vpc-id,Values=$VPC_ID" \
  --query 'Subnets[0:2].SubnetId' \
  --output text)

# Create security group
SG_ID=$(aws ec2 create-security-group \
  --group-name centinel-alb-sg \
  --description "Security group for Centinel ALB" \
  --vpc-id $VPC_ID \
  --query 'GroupId' \
  --output text)

aws ec2 authorize-security-group-ingress \
  --group-id $SG_ID \
  --protocol tcp \
  --port 80 \
  --cidr 0.0.0.0/0

# Create ALB
aws elbv2 create-load-balancer \
  --name centinel-alb \
  --subnets $SUBNET_IDS \
  --security-groups $SG_ID \
  --region eu-central-1
Create target group

Using AWS Console:

  1. Go to EC2 → Target Groups → Create target group
  2. Target type: Lambda function
  3. Target group name: centinel-lambda-tg
  4. Select your Lambda function
  5. Create the target group

Using AWS CLI:

# Create target group
TG_ARN=$(aws elbv2 create-target-group \
  --name centinel-lambda-tg \
  --target-type lambda \
  --region eu-central-1 \
  --query 'TargetGroups[0].TargetGroupArn' \
  --output text)

# Register Lambda as target
LAMBDA_ARN=$(aws lambda get-function \
  --function-name centinel-alb \
  --region eu-central-1 \
  --query 'Configuration.FunctionArn' \
  --output text)

aws elbv2 register-targets \
  --target-group-arn $TG_ARN \
  --targets Id=$LAMBDA_ARN \
  --region eu-central-1
Configure listener

Using AWS Console:

  1. Go to your ALB's Listeners tab
  2. Click Add listener
  3. Protocol: HTTP, Port: 80
  4. Default action: Forward to your target group
  5. Create the listener

Using AWS CLI:

ALB_ARN=$(aws elbv2 describe-load-balancers \
  --names centinel-alb \
  --region eu-central-1 \
  --query 'LoadBalancers[0].LoadBalancerArn' \
  --output text)

aws elbv2 create-listener \
  --load-balancer-arn $ALB_ARN \
  --protocol HTTP \
  --port 80 \
  --default-actions Type=forward,TargetGroupArn=$TG_ARN \
  --region eu-central-1
Grant permissions

Allow the ALB to invoke your Lambda function:

aws lambda add-permission \
  --function-name centinel-alb \
  --statement-id alb-invoke \
  --action lambda:InvokeFunction \
  --principal elasticloadbalancing.amazonaws.com \
  --region eu-central-1
Test the setup

Get your ALB DNS name:

aws elbv2 describe-load-balancers \
  --names centinel-alb \
  --region eu-central-1 \
  --query 'LoadBalancers[0].DNSName' \
  --output text

Test it:

curl -v http://YOUR-ALB-DNS.eu-central-1.elb.amazonaws.com

How it works

Client → ALB → Lambda (Centinel) → Decision

                          ┌────────────┴───────────┐
                          │                        │
                     Blocked (403)            Allowed
                          │                        │
                    Block page                Backend

Every request goes through Centinel validation:

  1. Client sends request to your ALB
  2. ALB invokes the Lambda function
  3. Lambda validates with Centinel API
  4. Based on the result:
    • Block → Returns 403 error page
    • Challenge → Returns verification page
    • Allow → Forwards to your backend

If Centinel is unreachable, requests are allowed through (fail-open).

Configuration

The Lambda function has these settings in centinel-alb.js:

const CENTINEL_SECRET_KEY = "";           // Your API key (required)
const BACKEND_URL = "";                   // Your backend URL (required)
const CENTINEL_TIMEOUT_MS = 200;          // API timeout (optional)
const BACKEND_TIMEOUT_MS = 25000;         // Backend timeout (optional)

Lambda settings:

  • Runtime: Node.js 20.x
  • Memory: 256 MB
  • Timeout: 30 seconds

Troubleshooting

Target shows as unhealthy

Make sure the Lambda function has permission to be invoked by the ALB:

aws lambda add-permission \
  --function-name centinel-alb \
  --statement-id alb-invoke \
  --action lambda:InvokeFunction \
  --principal elasticloadbalancing.amazonaws.com \
  --region eu-central-1

All requests blocked

Check your API key and review the CloudWatch logs:

aws logs tail /aws/lambda/centinel-alb --follow --region eu-central-1

Common issues:

  • Wrong API key in centinel-alb.js
  • API key not activated in dashboard
  • Protection rules need adjustment

Cannot reach backend

If your backend is in a private VPC, configure the Lambda function to use that VPC:

aws lambda update-function-configuration \
  --function-name centinel-alb \
  --vpc-config SubnetIds=subnet-xxx,subnet-yyy,SecurityGroupIds=sg-xxx \
  --region eu-central-1

Also attach the VPC execution policy:

aws iam attach-role-policy \
  --role-name centinel-alb-role \
  --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole

Slow response times

First requests after idle periods take longer (Lambda cold starts). For consistent performance, enable Provisioned Concurrency:

aws lambda put-provisioned-concurrency-config \
  --function-name centinel-alb \
  --provisioned-concurrent-executions 1 \
  --region eu-central-1

Changelog

  • 1.2.0 - HTTP/2 support for validator connections
  • 1.1.0 - Connection pooling improvements
  • 1.0.0 - Initial release

ASP.NET Core

Add Centinel Analytica to your ASP.NET Core application.

AWS CloudFront

Deploy Centinel Analytica on an existing CloudFront distribution via Lambda@Edge.

On this page

InstallationHow it worksConfigurationTroubleshootingTarget shows as unhealthyAll requests blockedCannot reach backendSlow response timesChangelog