Reputation: 43
AWS CloudFront and ELB: Is there a way to force connection using only CloudFront?
I have an ELB which balances some EC2 instances. The ELB exposes the endpoints of the entire system.
Now I am creating a CloudFront distribution over this ELB. Is there a way to allow users to connect ONLY using CloudFront endpoint and refuse direct connections to ELB?
Thanks
Upvotes: 4
Views: 8381
Answers (8)
Reputation: 1891
With the recent updates, there is a simpler way to achieve this now with Prefix lists. In your security group configuration, you can add cloudformation prefix lists and never worry about keeping up the dynamic IP changes etc.
"The CloudFront managed prefix list contains the IP address ranges of all of CloudFront's globally distributed origin-facing servers. If your origin is hosted on AWS and protected by an Amazon VPC security group, you can use the CloudFront managed prefix list to allow inbound traffic to your origin only from CloudFront's origin-facing servers, preventing any non-CloudFront traffic from reaching your origin." - From AWS Documentation
Here is an example of how to do this - https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/LocationsOfEdgeServers.html#managed-prefix-list
Here is the announcement of this feature - https://aws.amazon.com/about-aws/whats-new/2022/02/amazon-cloudfront-managed-prefix-list/
and here are the prefix lists - https://us-west-2.console.aws.amazon.com/vpc/home?region=us-west-2#ManagedPrefixLists
Upvotes: 2
Reputation: 3416
Starting 2022 AWS finally provides a solution for this problem with managed prefix-lists.
You can create an inbound security rule and under source directly specify the prefix list, instead of manually providing IP-Addresses:
To make your server reachable only from Cloudfront Servers follow these steps:
Go to https://console.aws.amazon.com/vpc/home#ManagedPrefixLists
Choose your region (The region of your Load Balancer) and search for "com.amazonaws.global.cloudfront.origin-facing" and copy the id (e.g. "pl-a3a144ca" for europe-central-1)
Edit your security group for the Load-Balancer and add a new Entry with Type: HTTP and as source paste the prefix-list-id from step 2
Now your security group will automatically always use the current IP-Addresses from Cloudfront, now updating necessary. - A caveat: The prefix list counts as ~50 rules against the rules-limit for a security group. If you have a lot of other custom rules, you will likely have to create a second security group with the other rules if this one is full.
Upvotes: 1
Reputation: 486
As of February 2022 there is a simpler solution. AWS now manages a prefix list for Cloudfront which auto updates.
For details: https://aws.amazon.com/about-aws/whats-new/2022/02/amazon-cloudfront-managed-prefix-list/
Upvotes: -1
Reputation: 4399
AWS blogs have a solution for this scenario.
What it does is basically creating a lambda function that subscribes to a SNS topic which receives notifications for AWS IP address range changes (this topic is owned by AWS). This lambda then updates the ELB/ALB security group dynamically. Lambda code is available here.
Upvotes: 0
Reputation: 11
If there is no record in R53 that uses your Load Balancer, and only cloudfront defines Alternate Domain Names (CNAMEs) used by your Load Balancer, then you can associate a WAF ACL with your Load Balancer that drops any request that does not match the Alternate Domain Names. In that case, you force using the CloudFront Distribution for your Load Balancer.
Upvotes: 1
Reputation: 7246
You can set up a automated security group that only allows Cloudfront IP's and let a Lambda function to update it when Cloudfront IP ranges change. On my blog post, you can find a complete Cloudformation template that will set this up for you:
https://medium.com/cagataygurturk/restricting-elb-access-to-cloudfront-8b0990dea69f
Upvotes: 1
Reputation: 200501
You would have to restrict the security group to the list of IP address ranges used by CloudFront. This is a subset of the list published here.
Unfortunately that list is subject to change, so you can't just set it once and forget it. Amazon has published a tutorial here that walks you through setting up a Lambda function that will automatically update your security group when Amazon publishes an updated IP list.
Upvotes: 4
Reputation: 141618
Unfortunately there is no straight forward way to do that right now.
ELB access can only be limited by IP ranges. You could try to limit the ELB to CloudFront's IP ranges, but this is rather brittle and changes frequently. If a new IP range is introduced, you may end up accidentally blocking CloudFront. I would say that this approach is not advisable, but I've seen it done when the requirement was mandatory. And it did break a few times.
Upvotes: 2
Related Questions
- AWS Cloudfront for internal elastic load balancer origin
- Using CloudFront with a single EC2 instance without a load balancer
- AWS Cloudfront for VPC/VPN
- How to allow only cloudfront to access my api (elb)load balancer hosted on ec2 in AWS?
- CloudFront fails to communicate with ELB 502 bad gateway
- Access ElasticBeanstalk only via CloudFront
- Implementing AWS AWF over CloudFront and ELB
- How does Cloudfront communicate with ELB?
- Cloudfront, ELB and SSL
- AWS ELB with multiple instances as Cloudfront origin