How to allow only cloudfront to access my api (elb)load balancer hosted on ec2 in AWS?

Question

My ui is hosted on s3 via cloudfront. Apis are hosted on ec2. How to allow only traffic coming from AWS cloudfront to access the api? If this is not possible, is there any alternative method?

Answer 1

You could use the AWS managed prefix list for CloudFront.

From https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/LocationsOfEdgeServers.html

The CloudFront managed prefix list contains the IP address ranges of all of CloudFront's globally distributed origin-facing servers. If your origin is hosted on AWS and protected by an Amazon VPC security group, you can use the CloudFront managed prefix list to allow inbound traffic to your origin only from CloudFront's origin-facing servers, preventing any non-CloudFront traffic from reaching your origin.

You can update the SecurityGroup attached to your EC2 instance to only allow traffic from the CloudFront prefix list.

You can view the "PrefixListId" by running the follow CLI command

aws ec2 describe-managed-prefix-lists

Use this Id value as the inbound source for your SecurityGroup rule.

Alternatively, AWS publish a list of IP ranges for their services - these are available from https://ip-ranges.amazonaws.com/ip-ranges.json or you can get the CloudFront IP addresses from https://d7uri8nf7uskq.cloudfront.net/tools/list-cloudfront-ips

You could use the published IP ranges in your SecurityGroup but usign a prefix list is preferred as you then don't need to track any changes to the IP addresses.