Hi everyone,
I'm running a Django application in an AWS Lightsail container service, exposed via a custom domain managed by Cloudflare DNS, which proxies requests to the Lightsail Container public endpoint. Despite using Cloudflare as a reverse proxy (with "proxied" DNS records), I’m still experiencing DDoS attacks hitting my container's public endpoint. Upon inspecting the NGINX logs, I see requests coming in with internal AWS IPs (e.g., 172.26.x.x), and many of them list the Lightsail public container endpoint (e.g., vgpdne5ck4i8a.eu-central-1.cs.amazonlightsail.com) in the referrer or host.
I want to ensure that only Cloudflare can access my container. In the Lightsail Instance service I can restrict incoming HTTP traffic by IP range. However, Lightsail containers don’t expose any similiar setting.
Is it possible to restrict ingress traffic to my Lightsail container so only Cloudflare IPs can access it?
Any advice, examples, or experience would be appreciated!
Thanks in advance! 🙏
