- Newest
- Most votes
- Most comments
The CloudFront origin must be accessible from the Internet to be used.
In other words, access is not possible even if an internal ALB (private ALB) is specified as the origin.
So how do we restrict access to the ALB to CloudFront? There are two ways.
The first is to allow CloudFront prefix lists in the ALB security group.
As shown in the following document, there is a list of prefixes for CloudFront, so please configure the ALB security group inbound rules to allow this one.
https://docs.aws.amazon.com/vpc/latest/userguide/working-with-aws-managed-prefix-lists.html
https://aws.amazon.com/about-aws/whats-new/2022/02/amazon-cloudfront-managed-prefix-list/?nc1=h_ls
The second method is to limit the ALB with a custom header in CloudFront.
However, this method is not recommended because it would allow direct access to the ALB if CloudFront custom headers are lost.
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/restrict-access-to-load-balancer.html
OR can the ALB get a aws free subdomain domain with https? as https://dqewrpnz0dddmw.cloudfront.net on cloudfront.
The domain "cloudfront.net" belongs to AWS, so we cannot create a subdomain on this domain.
Relevant content
- Accepted Answerasked 3 years ago
- Accepted Answerasked 2 years ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 6 months ago
- How can I troubleshoot issues when I use the AWS Load Balancer Controller to create a load balancer?AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
Thanks @RIKU! I have found managed prefix lists before, but I could not find any cdk example :(. And on the cloudfront custom headears the same. Do you know any cdk example?
The code for creating a security group that allows CloudFront prefix lists would be as follows. Please change "sample-vpc-id" and "cloudfront-prefix-list-id" according to your environment.
By setting this security group to ALB, connections can be allowed only from CloudFront.