Secure ALB access only from Amazon CloudFront


My customer is migrating from on-premises and asked me how to secure ALB access only from Cloudfront. We have a blog post on this subject (based on security group auto updates). But at the beginning of this post it is mentioned:

Note from December 3, 2019: The features and services described in this post have changed since the post was published and the procedures described might be out of date and no longer accurate. If we update this post or create a replacement, we’ll add a notification about it here.

Do we have a new solution for this ?

asked 4 years ago2013 views
2 Answers
Accepted Answer

One more way to prevent users accessing your ALB directly is make use of Custom Headers on CloudFront and WAF on ALB.

Step1: Configure CloudFront to add custom header to the requests going via CloudFront.

Step2: Attach AWS WAF to ALB

Step3: Create "String Match" rules/conditions on the WAF to allow requests if and only if the request has the custom header added by CloudFront and block the requests if the header is not present.

On CloudFront,

  • Edit Origin
  • In"Origin Settings", add a Custom header with key(can be anything) "X-Origin-Header" with some alpha numeric secret as value which the CloudFront will add to the request passing through it.

On the ALB,

  • Add AWS WAF on the ALB and create a "String Matching" condition with "Header" key as "X-Origin-Header" and value which you have entered in on the CloudFront distribution.
  • Add this condition to the rule and add the rule to the WebACL on the ALB.

Lifecycle of the request:

  • Here, when ever a user tries to access the application via CloudFront, a custom header with a secret string value is added to the request and the WAF which is infront of the ALB will forward the requests to the ALB if and only if the request has the custom header passed by CloudFront.

  • If a user tries to access the ALB directly, the request will not contain the customer header and will be blocked by WAF with a 403.

For more information, please refer to this article and let me know if you need any clarifications.

The main advantage of this method is that you don't have to deal with frequent change in CloudFront IP address changes.

answered 4 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions