AWS announces AWS Interconnect – multicloud (preview), providing simple, resilient, high-speed private connections to other cloud service providers. AWS Interconnect - multicloud is easy to configure and provides high-speed, resilient connectivity with dedicated bandwidth, enabling customers to interconnect AWS networking services such as AWS Transit Gateway, AWS Cloud WAN, and Amazon VPC to other cloud service providers with ease.
WAF client IP-based rules work, even for edge-optimized API Gateway and Cognito with custom domain
Highlight that WAF on these regional endpoints has visibility of CloudFront viewer IP in the client IP and not just the X-Forwarded-For header
Both edge-optimized API Gateway and Cognito with custom domain have AWS-managed CloudFront distributions in front of a regional endpoint. AWS WAF integrates with the regional components of both API Gateway and Cognito, and the obvious default conclusion would be that the source IP seen by those endpoints would be the CloudFront origin-facing IP and that the 'real' client IP connecting to CloudFront would be visible only by the 'X-Forwarded-For' header. This would mean that IP Reputation rulegroups would not work as these (mostly) operate only on client IP and not on headers.
Luckily this is not the case!! The Cognito and API Gateway service teams have forseen customer requirements and by performing some IP 'magic', the client IP seen at those endpoints is the CloudFront viewer IP, not the origin-facing IP, so rules based on client IP work as if they would had the client connected directly to the regional endpoint! This is not currently clear from public documentation.
This means that these services can make use of the Managed IP Reputation rulegroups and the AWSManagedRulesAntiDDoSRuleSet
- Language
- English
Relevant content
- asked 4 years ago
- AWS OFFICIALUpdated 2 years ago
