AWS Global Accelerator IP Subnet Range not up to date in ip-ranges.json

0

I have a public ALB with a WAF firewall attached to it and a Global Accelerator endpoint which forwards traffic to this ALB. Now, I'd like to limit direct access to the ALB to IP Range of the AWS Global Accelerator range - so to start with, none can access directly the ALB if not via the GA endpoint.

I have created an AWS Lambda as per https://aws.amazon.com/blogs/security/automatically-update-aws-waf-ip-sets-with-aws-ip-ranges/ which downloads the https://ip-ranges.amazonaws.com/ip-ranges.json file and adds automatically all the IP Subnets that matches "service": "GLOBALACCELERATOR" to the WAF IPset for both IPv4 and IPv6. The process works and the Lambda can successfully add the IP address range to the WAF IPSet, though when I configure a rule to Match/Count this IPSet, I'm not seeing any hits that matches these subnets.

The only way I got this to match was to add all the IP ranges which matches "service": "AMAZON" rather then "service": "GLOBALACCELERATOR".

This makes me believe that the https://ip-ranges.amazonaws.com/ip-ranges.json list is not updated with the correct IP Ranges for the GLOBALACCELERATOR.

1回答
0

Have you disable the Client IP Preservation at the Global Accelerator?[1] Disabled mine and I'm able to block my requests through GA to my ALB that has WAF. Created rule to explicitly block the GA IP Addresses.

Sampled request for metric Deny_GA
Source IP
13.248.102.152
Rule inside rule group
-
Action
BLOCK

References: [1] Preserve client IP addresses in AWS Global Accelerator - https://docs.aws.amazon.com/global-accelerator/latest/dg/preserve-client-ip-address.html

AWS
回答済み 2年前

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ