Restricting access to an EC2 Web app to only Amplify app access

Question

We would like to restrict access to a chat web app running on our EC2 Linux server to only our Amplify hosted frontend app. Currently, the Linux-based chat app (Apache based) is accessible directly over the internet. We want to restrict access to only users coming from our Amplify-hosted frontend application.

We thought about restricting HTTPS access to only the Amplify frontend app's IP address but we could not figure out what the Amplify app's IP address is.

Any suggestions for implementing this restriction?

Answer

Amplify uses Amazon CloudFront to distribute your website globally, and the IP addresses returned are dynamically set. Our current list of IP address ranges that CloudFront utilizes can be found in this [doc](https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html)

However requests to your EC2 chat application would have the IP of the local machine and not the IP's of Amplify Hosting/CloudFront. Hence, for your use case, whitelisting IPs of the Amplify Hosting/CloudFront might not be helpful.

Having said that, you can try attaching a [WAF](https://aws.amazon.com/premiumsupport/knowledge-center/waf-protect-ec2-instance/) in-front of EC2 and filter requests based on origin header, as these requests would contain Origin header with Amplify domain.

```
Origin:https://..amplifyapp.com
```

Alternatively, you could also leverage [API gateway](https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-to-api.html) in front of EC2, as it has several authentication mechanism such as WAF, Cognito authorizers, Lambda custom authorizer etc

For best approach and architectural guidance you can contact [AWS Solution Architects](https://aws.amazon.com/contact-us/sales-support/)

Restricting access to an EC2 Web app to only Amplify app access

Relevant content