Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.
How do I restrict direct traffic to an Application Load Balancer and only allow traffic through CloudFront?
I want to restrict direct access to an Application Load Balancer and only allow access through Amazon CloudFront.
Short description
To restrict direct traffic to an Application Load Balancer and only allow access through CloudFront, use Application Load Balancer listener rules. If you have an existing AWS WAF web access control list (ACL), then you can use web ACL rules. To further restrict access to your Application Load Balancer, configure your security group to restrict access to your origin. To do this, use the AWS managed prefix list. It's a best practice to use one of these solutions and also configure your security group.
Resolution
Application Load Balancer listener rules
To use Application Load Balancer listener rules to restrict traffic, see Restrict access to Application Load Balancers.
AWS WAF
Note: AWS WAF charges are based on the following factors:
- Amount of web ACLs that you create
- Number of rules that you add for each web ACL
- Amount of web requests that you receive
For more information, see AWS WAF pricing.
To use AWS WAF custom web ACL rules to restrict traffic, configure CloudFront to add a custom HTTP header. Then, create a rule in the AWS WAF web ACL that's associated with the Application Load Balancer. Use this rule to block requests that don't contain the custom HTTP header secret value.
Configure CloudFront to add a custom HTTP header
Complete the following steps:
- Open the CloudFront console.
- In the navigation pane, choose Distributions, and then select your distribution ID.
- Choose the Origins tab.
- Select your Application Load Balancer, and then choose Edit.
Note: If your Application Load Balancer isn't an origin, update your distribution, and then set the Application Load Balancer as an origin. - For Add custom header, enter the Header name and Value.
Important: The Header name and Value act as secure credentials, such as a username and password. Note the values for use later in this procedure. - Choose Save changes.
Create a rule in your web ACL to block requests without the header
Complete the following steps:
- Open the AWS WAF console.
- In the navigation pane, choose Resources & protection packs.
- Choose Create protection pack.
- Under Tell us about your app, for App category, select one or more app categories.
- For Traffic source, choose the type of traffic the application engages with, such as API, Web, or Both API and Web.
- Under Resources to protect, choose Add resources.
- Under Global, choose Add Cloud front or Amplify resources.
- Select your distribution from the list.
- Under Choose protection pack, select Build your own pack from all of the protections AWS WAF offers.
- In the right pane, choose Custom rule and select Next.
Choose Custom rule again and selectNext. - Set the Rule Action to BLOCK.
- Enter your Rule name.
- For If a request, expand the dropdown and choose does not match the statement (NOT).
- For Inspect, choose Single header.
- Under Statement, complete the following:
For Header field name, enter the Header name that you created in CloudFront.
For Match type, choose Exactly matches string.
For String to match, enter the Value that you created in CloudFront.
(Optional) For Text transformation, choose None. - Choose Create rule.
- (Optional) To set multiple rule priority, select Edit Rule Order in the right pane and then set this rule to the highest priority.
- Choose Save Rule Order.
- Under Name and description, enter a name for your protection pack.
- Click Create protection pack.
Configure security groups
To further restrict traffic to an Application Load Balancer, use an AWS managed prefix list on security groups in the Application Load Balancer.
To update an existing security group, see Update the associated security groups. To associate your Application Load Balancer with a security group, complete the following steps:
- Open the Amazon Elastic Compute Cloud (Amazon EC2) console.
- In the navigation pane, under Load Balancing, choose Load Balancers.
- Select your Application Load Balancer, and then choose Security.
- Select the security group that you want to associate with your Application Load Balancer.
- To modify the inbound rules, choose Edit inbound rules, and then update the configurations for your use case.
Note: If you have a rule that allows 0.0.0.0/0, then you must add a new rule before you delete the existing rule. - To allow specific protocols, select the protocol, and then choose Custom.
- For Source type, choose CloudFront, and then select your prefixes from the AWS managed prefix list.
- Choose Save.
Note: It's a best practice to allow ports that only your Application Load Balancer uses.
You can only add the CloudFront managed prefix list one time for each security group under the default settings because of the prefix list weight. To add another rule with CloudFront as the Source type in the same security group, request a quota increase. Or, use two security groups that both reference the CloudFront managed prefix list.
Related information
Limit access to your origins using the AWS managed prefix list for Amazon CloudFront
How can I restrict location access to web content that my CloudFront distribution serves?
- Tags
- AWS WAF
- Language
- English
Actually, the check of the custom HTTP header set by Amazon CloudFront can be done natively on the ALB level without attaching AWS WAF to the ALB. This will be cheaper and simpler than creating a WebACL and WAF rules just for this check.
You can do it by creating an HTTP header ALB listener rule inspecting the requests for specific header name and header value. See more details on our docs: Listener rules for your Application Load Balancer.
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
Relevant content
- asked 4 years ago
- asked 2 years ago
