Secure ALB access only from Amazon CloudFront

One more way to prevent users accessing your ALB directly is make use of Custom Headers on CloudFront and WAF on ALB.

Step1: Configure CloudFront to add custom header to the requests going via CloudFront.

Step2: Attach AWS WAF to ALB

Step3: Create "String Match" rules/conditions on the WAF to allow requests if and only if the request has the custom header added by CloudFront and block the requests if the header is not present.

On CloudFront,

• Edit Origin
• In"Origin Settings", add a Custom header with key(can be anything) "X-Origin-Header" with some alpha numeric secret as value which the CloudFront will add to the request passing through it.

On the ALB,

• Add AWS WAF on the ALB and create a "String Matching" condition with "Header" key as "X-Origin-Header" and value which you have entered in on the CloudFront distribution.
• Add this condition to the rule and add the rule to the WebACL on the ALB.

Lifecycle of the request:

• Here, when ever a user tries to access the application via CloudFront, a custom header with a secret string value is added to the request and the WAF which is infront of the ALB will forward the requests to the ALB if and only if the request has the custom header passed by CloudFront.

• If a user tries to access the ALB directly, the request will not contain the customer header and will be blocked by WAF with a 403.

For more information, please refer to this article and let me know if you need any clarifications.

The main advantage of this method is that you don't have to deal with frequent change in CloudFront IP address changes.