restrct Single Page Application to internal network

0

Hello, I have a SPA internal web app served through Cloudfront/S3 which was flagged by audit for being accessible over public network, i am required to restrict access to internal company network. What are the recommended architectures which can be used to accomplish this, I am going down the path of using ALB/VPC PrivateLink/S3 as Cloudfront beign a CDN will be publically accessible.

Using ALB I am able to load the index.htm but dynamic routes are returing 404 as those routes dont have anything in S3. Once option is to route error response to index.htm but not sure if it will get used going through PrivateLink REST endpoint.

Thanks in advance!

1 Answer
0

The recommended design would be to continue using CloudFront over the public internet, but to associate a Web Application Firewall (WAFv2) web ACL to the distribution only allowing requests from the internet-facing public IP addresses of the internal networks. Traffic would continue to run over the internet, but TLS encryption and the source IP address restriction would make it reasonably well protected.

The static website functionalities of S3 are not available over VPC endpoints. As you observed already, only the REST APIs are available. If you have a third-party web server, like Nginx, you can send the paths you want to it with the ALB's listener rules: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html#rule-condition-types.

If appropriate for your needs, you can also use the ALB's built-in features to return static responses or redirects: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html#rule-action-types. For more specific custom functionalities, you can use a Lambda function as a target: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/lambda-functions.html.

EXPERT
Leo K
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions