How do I restrict direct traffic to an ALB and allow traffic through only CloudFront using AWS WAF?

3 minute read
1

I want to restrict users from directly accessing an Application Load Balancer (ALB) and allow access through only Amazon CloudFront using AWS WAF. How do I do this using AWS WAF?

Resolution

To restrict direct traffic to an ALB and allow traffic through only CloudFront using AWS WAF, do the following:

  1. Configure CloudFront to add a custom HTTP header with a secret value in the requests that CloudFront sends to the ALB.
  2. Create a rule in your AWS WAF web ACL associated with the ALB to block requests that don't contain the custom HTTP header secret value.

Configure CloudFront to add a custom HTTP header with a secret value in the requests that it sends to the ALB

  1. Open the Amazon CloudFront console.
  2. From the navigation pane, choose Distributions.
  3. Select the ID of your distribution.
  4. Choose Origins.
  5. Select your ALB origin, and then choose Edit.
    Note: If you don't have an ALB origin, see Creating a distribution or Updating a distribution.
  6. For Add custom header, add the Header name and Value. An example Header name is Custom-header and Value is Random-12345.
    Important: Consider the Header name and Value as secure credentials, like a user name and password.
  7. Choose Save changes.

Create a rule in your AWS WAF web ACL associated with the ALB to block the requests that don't contain the custom HTTP header secret value

Note: If you don't have an existing web ACL associated with your ALB, then follow the steps in Create an AWS WAF web ACL. If you have an existing web ACL associated to your ALB, then proceed to Create a rule.

Create an AWS WAF web ACL

  1. Open the AWS WAF console.
  2. In the navigation pane, under AWS WAF, choose Web ACLs.
  3. For Region, select the AWS Region where your ALB is located.
  4. Choose Create web ACL, and then enter a Name.
  5. For Associated AWS resources, associate your ALB, then choose Next.
  6. For Default web ACL action for requests that don't match any rules, choose Allow, and then choose Next.
  7. For Request sampling options, choose Enable sampled requests, and then choose Next.
  8. Review the web ACL configuration. If it matches your specifications, choose Create web ACL.

Create a rule

  1. Open the AWS WAF console.
  2. In the navigation pane, under AWS WAF, choose Web ACLs.
  3. For Region, select the AWS Region where your ALB is located.
  4. Select the web ACL you have associated your ALB to.
  5. Choose Rules, then choose Add Rules, Add my own rules and rule groups.
  6. For Name, enter a rule name, and then choose Regular Rule.
  7. For If a request, choose doesn't match the statement (NOT).
  8. On Statement 1:
    For Inspect, choose Single Header.
    For Header field name, enter the name of the Header name created in CloudFront. For example, Custom-header.
    For Match type, choose Exactly matches string.
    For String to match, enter the Value created in CloudFront. For example, Random-12345.
    For Text transformation, choose None.
  9. For Action, choose Block.
  10. Choose Save rule.
  11. For Set rule priority, if you have multiple rules, then set this rule to the highest priority.
  12. Choose Save.

Related information

Adding custom headers to origin requests

AWS WAF Rules

AWS OFFICIAL
AWS OFFICIALUpdated 2 years ago