- Newest
- Most votes
- Most comments
Thanks for the reply and yes, you are correct about ABL, I'm referring to ALB. I also made a mistake about the EKS it was an EC2, my bad.
Let me try to explain a little about the infra, sincerely it was already build so I'm working with what already exist.
We have an S3 with information push from another application.
A Cloudfront was added infront of the S3, because it securely deliver content with low latency and high transfer speeds.
There is a separate EC2 with an application running that needs to consume the information from the S3.
Infront of the EC2 there is an ALB.
They are not in the same VPC/Account.
Is it possible to restrict the access of Cloudfront to only accept the communication from ALB?
I am assuming you meant ALB (application load balancer) when you say ABL.
The flow is not very clear. Can you please elaborate with a detailed description of the flow.
Is the idea to allow restricted access to the S3 bucket only to the applications running on EKS? Why is Cloudfront needed in that case? They can use the IAM role for service accounts feature to allow the pods running on EKS to access the S3 bucket - https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html. There is also an example in this Support Knowledge Center article - https://aws.amazon.com/premiumsupport/knowledge-center/eks-restrict-s3-bucket/
You can also configure a VPC endpoint on the VPC in which your PODs are running to ensure that the traffic from your PODS to S3 goes over the Amazon network rather than over the Internet - https://docs.aws.amazon.com/AmazonS3/latest/userguide/privatelink-interface-endpoints.html
Normally Cloudfront is in front of an ALB as Cloudfront helps lower the latency of access for remote clients either by caching static content or by providing a quicker path to the AWS network backbone from a nearby point of presence.
Some details of the application and the flow can help us provide the right guidance.
Relevant content
- Accepted Answerasked 2 years ago
AWS OFFICIALUpdated 7 months ago- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
ALB cannot be used as an outbound proxy. So in your case, based on what you have described, the ALB is the inbound load balancer for traffic coming to your EC2 servers. The EC2 servers in turn access files stored in S3 over Cloudfront. So the access from EC2 to Cloudfront won't be over the ALB. It will be over a NAT Gateway in your VPC to allow outbound internet access.
If you want to allow access to Cloudfront only from the NAT Gateway, in that case you can use AWS WAF in front of Cloudfront because WAF allows IP based filtering - https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-ipset-match.html, using which can either allow or deny traffic from some IP addresses.
I would still like to avoid this complexity if possible and access S3 directly from the application running on your EC2 machines. It does not matter if S3 is in a different account. As long as the other account is part of your organization and not a third-party account, it should be possible as mentioned here - https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-s3/
In that case, you should be able to use the VPC endpoint from your VPC where your EC2 machines are running to S3, to access s3 using the AWS network and not have to go through the internet over Cloudfront.