AWS Global Accelerator IP Subnet Range not up to date in ip-ranges.json

0

I have a public ALB with a WAF firewall attached to it and a Global Accelerator endpoint which forwards traffic to this ALB. Now, I'd like to limit direct access to the ALB to IP Range of the AWS Global Accelerator range - so to start with, none can access directly the ALB if not via the GA endpoint.

I have created an AWS Lambda as per https://aws.amazon.com/blogs/security/automatically-update-aws-waf-ip-sets-with-aws-ip-ranges/ which downloads the https://ip-ranges.amazonaws.com/ip-ranges.json file and adds automatically all the IP Subnets that matches "service": "GLOBALACCELERATOR" to the WAF IPset for both IPv4 and IPv6. The process works and the Lambda can successfully add the IP address range to the WAF IPSet, though when I configure a rule to Match/Count this IPSet, I'm not seeing any hits that matches these subnets.

The only way I got this to match was to add all the IP ranges which matches "service": "AMAZON" rather then "service": "GLOBALACCELERATOR".

This makes me believe that the https://ip-ranges.amazonaws.com/ip-ranges.json list is not updated with the correct IP Ranges for the GLOBALACCELERATOR.

1 Answer
0

Have you disable the Client IP Preservation at the Global Accelerator?[1] Disabled mine and I'm able to block my requests through GA to my ALB that has WAF. Created rule to explicitly block the GA IP Addresses.

Sampled request for metric Deny_GA
Source IP
13.248.102.152
Rule inside rule group
-
Action
BLOCK

References: [1] Preserve client IP addresses in AWS Global Accelerator - https://docs.aws.amazon.com/global-accelerator/latest/dg/preserve-client-ip-address.html

answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions