AWS WAF with IP restriction

Question

I have an AWS API Gateway which should only be accessed by requests coming from Salesforce IP ranges. How do I accomplish that in Cloudformation with AWS::WAFv2::WebACL?

Answer 1

AWSTemplateFormatVersion:  2010-09-09
Description: 'WAF rule to limit access to requests originating from Salesforce IP ranges only.'

Resources:
  SfdcIPSet:
    Type: AWS::WAFv2::IPSet
    Properties:
      Description: 'Salesforce IP ranges'
      Name: 'SfdcIPSet'
      Scope: REGIONAL
      IPAddressVersion: IPV4
      Addresses:
        - '13.108.0.0/14'
        - '96.43.144.0/20'
        - '136.146.0.0/15'
        - '204.14.232.0/21'
        - '85.222.128.0/19'
        - '185.79.140.0/22'
        - '101.53.160.0/19'
        - '182.50.76.0/22'
        - '202.129.242.0/23'

  SfdcIPRestrictionWebACL:
    Type: AWS::WAFv2::WebACL
    DependsOn:
      - SfdcIPSet
    Properties:
      Name: 'SfdcIPRestrictionWebACL'
      Scope: REGIONAL
      DefaultAction:
        Block: {}
      Description: 'To limit access to Salesforce IP ranges only'
      Rules:
        - Name: 'sfdcIpLimitationRule'
          Priority: 0
          Statement:
            IPSetReferenceStatement:
              ARN: !GetAtt SfdcIPSet.Arn
          Action:
            Allow: {}
          VisibilityConfig:
            SampledRequestsEnabled: true
            CloudWatchMetricsEnabled: true
            MetricName: 'sfdcIpLimitationRule'
      VisibilityConfig:
        SampledRequestsEnabled: true
        CloudWatchMetricsEnabled: true
        MetricName: 'SfdcWebACLMetric'
      Capacity: 1

The list of Salesforce public IP ranges can be found here: https://help.salesforce.com/articleView?id=000321501&type=1&mode=1

To use the WebACL with an API gateway, make sure you use the correct WAFv2 syntax! Like so:

SfdcWebACLAssociation:
    Type: AWS::WAFv2::WebACLAssociation
    Properties:
      ResourceArn: !FindInMap [EnvironmentMapping, !Ref EnvironmentName, sfdcApiGatewayArn]
      WebACLArn: !FindInMap [EnvironmentMapping, !Ref EnvironmentName, sfdcWebACLArn]

Another somewhat annoying thing I noticed was, with the new view for "WAF & Shield", in AWS Console, you will only see the WAFv2 definitions. Older definitions can only be seen in classic view.