3

I have an ELB which balances some EC2 instances. The ELB exposes the endpoints of the entire system.

Now I am creating a CloudFront distribution over this ELB. Is there a way to allow users to connect ONLY using CloudFront endpoint and refuse direct connections to ELB?

Thanks

Secret Garden
  • 31
  • 1
  • 5
  • IP address filtering is not the solution, here. The answers below have overlooked a viable solution to this problem. A solution does exist, but before I explain it in detail, I need some clarification so that I can focus on relevant details: what is your motivation for preventing direct access to the origin ELB? Also, is it an ELB Classic/1.0, or is it an ELB 2.0 -- also known as ALB (Application Load Balancer)? – Michael - sqlbot Feb 04 '17 at 00:18
  • @Michael-sqlbot Would love to see your answer to this, focusing on ALB, and a motivation of avoiding DDOS to the ALB and avoiding getting around WAF rules attached to the CloudFront distribution. – Tim Malone Jun 11 '18 at 21:52
  • 1
    @Michael-sqlbot Actually I just found your answer [here](https://stackoverflow.com/a/40667492/1982136) which is a great idea. – Tim Malone Jun 11 '18 at 22:08

8 Answers8

4

You would have to restrict the security group to the list of IP address ranges used by CloudFront. This is a subset of the list published here.

Unfortunately that list is subject to change, so you can't just set it once and forget it. Amazon has published a tutorial here that walks you through setting up a Lambda function that will automatically update your security group when Amazon publishes an updated IP list.

Mark B
  • 183,023
  • 24
  • 297
  • 295
2

Unfortunately there is no straight forward way to do that right now.

ELB access can only be limited by IP ranges. You could try to limit the ELB to CloudFront's IP ranges, but this is rather brittle and changes frequently. If a new IP range is introduced, you may end up accidentally blocking CloudFront. I would say that this approach is not advisable, but I've seen it done when the requirement was mandatory. And it did break a few times.

vcsjones
  • 138,677
  • 31
  • 291
  • 286
1

You can set up a automated security group that only allows Cloudfront IP's and let a Lambda function to update it when Cloudfront IP ranges change. On my blog post, you can find a complete Cloudformation template that will set this up for you:

https://medium.com/cagataygurturk/restricting-elb-access-to-cloudfront-8b0990dea69f

Cagatay Gurturk
  • 7,186
  • 3
  • 34
  • 44
1

If there is no record in R53 that uses your Load Balancer, and only cloudfront defines Alternate Domain Names (CNAMEs) used by your Load Balancer, then you can associate a WAF ACL with your Load Balancer that drops any request that does not match the Alternate Domain Names. In that case, you force using the CloudFront Distribution for your Load Balancer.

cloudsimon
  • 11
  • 1
0

AWS blogs have a solution for this scenario.

What it does is basically creating a lambda function that subscribes to a SNS topic which receives notifications for AWS IP address range changes (this topic is owned by AWS). This lambda then updates the ELB/ALB security group dynamically. Lambda code is available here.

ubi
  • 4,041
  • 3
  • 33
  • 50
0

Starting 2022 AWS finally provides a solution for this problem with managed prefix-lists.

You can create an inbound security rule and under source directly specify the prefix list, instead of manually providing IP-Addresses:

To make your server reachable only from Cloudfront Servers follow these steps:

  1. Go to https://console.aws.amazon.com/vpc/home#ManagedPrefixLists

  2. Choose your region (The region of your Load Balancer) and search for "com.amazonaws.global.cloudfront.origin-facing" and copy the id (e.g. "pl-a3a144ca" for europe-central-1)

  3. Edit your security group for the Load-Balancer and add a new Entry with Type: HTTP and as source paste the prefix-list-id from step 2

Now your security group will automatically always use the current IP-Addresses from Cloudfront, now updating necessary. - A caveat: The prefix list counts as ~50 rules against the rules-limit for a security group. If you have a lot of other custom rules, you will likely have to create a second security group with the other rules if this one is full.

Falco
  • 3,287
  • 23
  • 26
0

With the recent updates, there is a simpler way to achieve this now with Prefix lists. In your security group configuration, you can add cloudformation prefix lists and never worry about keeping up the dynamic IP changes etc.

"The CloudFront managed prefix list contains the IP address ranges of all of CloudFront's globally distributed origin-facing servers. If your origin is hosted on AWS and protected by an Amazon VPC security group, you can use the CloudFront managed prefix list to allow inbound traffic to your origin only from CloudFront's origin-facing servers, preventing any non-CloudFront traffic from reaching your origin." - From AWS Documentation

Here is an example of how to do this - https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/LocationsOfEdgeServers.html#managed-prefix-list

Here is the announcement of this feature - https://aws.amazon.com/about-aws/whats-new/2022/02/amazon-cloudfront-managed-prefix-list/

and here are the prefix lists - https://us-west-2.console.aws.amazon.com/vpc/home?region=us-west-2#ManagedPrefixLists

Subhash Dike
  • 1,836
  • 1
  • 22
  • 37
-1

As of February 2022 there is a simpler solution. AWS now manages a prefix list for Cloudfront which auto updates.

For details: https://aws.amazon.com/about-aws/whats-new/2022/02/amazon-cloudfront-managed-prefix-list/

4b0
  • 21,981
  • 30
  • 95
  • 142
Luciano
  • 426
  • 2
  • 9
  • 19
  • Whilst this may theoretically answer the question, [it would be preferable](//meta.stackexchange.com/q/8259) to include the essential parts of the answer here, and provide the link for reference. Please [edit] the answer with all relevant information. – Adriaan Nov 29 '22 at 07:05