How do I restrict direct traffic to an Application Load Balancer and allow traffic through only CloudFront?

Short description

To restrict direct traffic to an Application Load Balancer and allow access only through CloudFront, use Application Load Balancer listener rules. If you have an existing AWS WAF web access control list (ACL), then you can use web ACL rules. To further restrict access to your Application Load Balancer, configure your security group to restrict access to your origin. To do this, use the AWS managed prefix list. It's a best practice to use one of these solutions and also configure your security group.

Resolution

Application Load Balancer

To use Application Load Balancer listener rules to restrict traffic, see Restrict access to Application Load Balancers.

AWS WAF

Note: AWS WAF charges are based on the following factors:

• Amount of web ACLs that you create
• Amount of rules that you add for each web ACL
• Amount of web requests that you receive

For more information, see AWS WAF pricing.

To use AWS WAF custom web ACL rules to restrict traffic, complete the following steps:

1. Configure CloudFront to add a custom HTTP header with a secret value in the requests that CloudFront sends to the Application Load Balancer.
2. Create a rule in the AWS WAF web ACL associated with the Application Load Balancer. Use this rule to block requests that don't contain the custom HTTP header secret value.

Configure CloudFront to add a custom HTTP header

Complete the following steps:

1. Open the CloudFront console.
2. From the navigation pane, choose Distributions.
3. Select your distribution ID.
4. Choose Origins.
5. Select your Application Load Balancer, and then choose Edit.
   Note: If your Application Load Balancer isn't an origin, update your distribution, and then set the Application Load Balancer as an origin.
6. For Add custom header, enter the Header name and Value.
   Important: The Header name and Value act as secure credentials, such as a username and password. Copy these values to a text file to use later in this procedure.
7. Choose Save changes.

Create a rule in your web ACL to block requests without the header

Complete the following steps:

1. Open the AWS WAF console.
2. In the navigation pane, under AWS WAF, choose Web ACLs.
3. For Region, select the AWS Region where your Application Load Balancer is located.
   Note: If you have an existing web ACL associated to your Application Load Balancer, then skip to step 9.
4. Choose Create web ACL, and then enter a Name.
5. For Associated AWS resources, select your Application Load Balancer, and then choose Next.
6. For Default web ACL action for requests that don't match any rules, choose Allow, and then choose Next.
7. For Request sampling options, choose Enable sampled requests, and then choose Next.
8. Choose Create web ACL.
9. Open the AWS WAF console.
10. In the navigation pane, under AWS WAF, choose Web ACLs.
11. For Region, select the Region where your Application Load Balancer is located.
12. Select the web ACL associated to your Application Load Balancer.
13. Under Rules, choose Add Rules, and then choose Add my own rules and rule groups.
14. For Name, enter your rule name.
15. For Type, choose Regular Rule.
16. For If a request, choose doesn't match the statement (NOT).
17. Configure the following settings under Statement 1:
    For Inspect, choose Single Header.
    For Header field name, enter the Header name that you created in CloudFront.
    For Match type, choose Exactly matches string.
    For String to match, enter the Value that you created in CloudFront.
    For Text transformation, choose None.
18. For Action, choose Block.
19. Choose Save rule.
20. For Set rule priority, if you have multiple rules, then set this rule to the highest priority.
21. Choose Save.

Security groups

To further restrict traffic to an Application Load Balancer, use an AWS managed prefix list on security groups in the Application Load Balancer.

To update an existing security group, see Update the associated security groups. To associate your Application Load Balancer with a security group, complete the following steps:

1. Open the Amazon Elastic Compute Cloud (Amazon EC2) console.
2. Select Load balancers, and then select your Application Load Balancer.
3. Choose Security.
4. Select the security group that you want to associate with your Application Load Balancer.
5. To modify the inbound rules, select Edit inbound rules, and then update the configurations to your use case.
   Note: If you have a rule that allows 0.0.0.0/0, then you must add a new rule before you delete the existing rule.
6. To allow specific protocols, select the protocol and then choose Custom.
7. For Source type, choose CloudFront, and then select your prefixes from the AWS managed prefix list.
8. Choose Save.

Note: It's a best practice to allow only ports used by your Application Load Balancer.

The CloudFront managed prefix list can only be added one time for each security group under the default settings because of the prefix list weight. To add another rule with CloudFront as the Source type in the same security group, request a quota increase. Or, use two security groups that both reference the CloudFront managed prefix list.

Related information

Security groups