Protect my AWS ECS service node.js backend

Question

I have developed a native mobile application (iOS/android).

My backend for the application is a node js server running on an ECS cluster.

Requests arrives on an Application Load Balancer listening to only HTTPS traffic.

The authentication between the backend and the frontend is made via JWT token.

I have some ideas about further securing my backend but not sure how to achieve them:

• I would like to filter out any requests that are not coming from a phone. I think I would achieve this at internet gateway level. But no experience doing so.
• I would like to apply rate limiting, I know it's quite strait forward to do this in the node js code. I just wander if this rate limiting can be achieve even before reaching the server. Maybe at ALB level ? I feel it could protect better from a DDoS.

Answer 1

Both of the options (and more) is available when using AWS WAF (Web Application Firewall). You can check for specific strings in path, header (i.e. User-Agent for well known mobiles) or up to 8 kb of content with this. Rate limiting available and you can enforce it per client IP for allowing X requests every 5 min. You should aim for WAFv2 which is the recommended one. Refer link