I have a public ALB with a WAF firewall attached to it and a Global Accelerator endpoint which forwards traffic to this ALB.
Now, I'd like to limit direct access to the ALB to IP Range of the AWS Global Accelerator range - so to start with, none can access directly the ALB if not via the GA endpoint.
I have created an AWS Lambda as per https://aws.amazon.com/blogs/security/automatically-update-aws-waf-ip-sets-with-aws-ip-ranges/ which downloads the https://ip-ranges.amazonaws.com/ip-ranges.json file and adds automatically all the IP Subnets that matches "service": "GLOBALACCELERATOR" to the WAF IPset for both IPv4 and IPv6.
The process works and the Lambda can successfully add the IP address range to the WAF IPSet, though when I configure a rule to Match/Count this IPSet, I'm not seeing any hits that matches these subnets.
The only way I got this to match was to add all the IP ranges which matches "service": "AMAZON" rather then "service": "GLOBALACCELERATOR".
This makes me believe that the https://ip-ranges.amazonaws.com/ip-ranges.json list is not updated with the correct IP Ranges for the GLOBALACCELERATOR.
AWS 官方已更新 1 年前