Cloudformation cannot comunicate to containers if they doesn't allow inbound traffic from every where

0

I've a load balancer dual-stack-without-ipv4

it's working well. it's serving my container's webserver well

cloud front instead gives me this

ERROR Failed to contact the origin.

this is my actual configuration

  ContainerSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: container-sg
      VpcId: !ImportValue VPC
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 80
          ToPort: 80
          SourceSecurityGroupId:
            Ref: LoadBalancerSecurityGroup
        
  LoadBalancerSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: balancer-sg
      VpcId: !ImportValue VPC
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 443
          ToPort: 443
          CidrIp: 0.0.0.0/0
        - IpProtocol: tcp
          FromPort: 80
          ToPort: 80
          CidrIp: 0.0.0.0/0
        - IpProtocol: tcp
          FromPort: 443
          ToPort: 443
          CidrIpv6: ::/0
        - IpProtocol: tcp
          FromPort: 80
          ToPort: 80
          CidrIpv6: ::/0

to make it work, I need to add to my container security group this

        - IpProtocol: tcp
          FromPort: 80
          ToPort: 80
          CidrIp: 0.0.0.0/0   # Allow IPv4 traffic from anywhere
        - IpProtocol: tcp
          FromPort: 80
          ToPort: 80
          CidrIpv6: ::/0     # Allow IPv6 traffic from anywhere

This is cloud front actual config

  CloudFrontDistribution:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        Origins:
          - Id: ApplicationLoadBalancer
            DomainName:
              Fn::GetAtt:
                - LoadBalancer
                - DNSName
            CustomOriginConfig:
              HTTPPort: '80'
              OriginProtocolPolicy: http-only
              OriginReadTimeout: 60
        Enabled: true
        DefaultCacheBehavior:
          TargetOriginId: ApplicationLoadBalancer
          Compress: true
          ViewerProtocolPolicy: redirect-to-https
          AllowedMethods:
            - DELETE
            - GET
            - HEAD
            - OPTIONS
            - PATCH
            - POST
            - PUT
          MinTTL: 0
          MaxTTL: 86400
          DefaultTTL: 86400

Why !? I wany absolutely to AVOID a direct connection to my container.

I don't know how traffic is routed between cloudfront and load balancer. I supposed that cloud front accesses to my load balancer and so my container can still go on accepting incoming traffic only from load balancer.

something is wrong, but I don't understand why

2 Answers
1
Accepted Answer

Hello.

Try registering CloudFront's managed prefix list in the security group's inbound rules.
By registering this, you can allow communication from CloudFront.
https://docs.aws.amazon.com/vpc/latest/userguide/working-with-aws-managed-prefix-lists.html#available-aws-managed-prefix-lists
https://aws.amazon.com/jp/blogs/networking-and-content-delivery/limit-access-to-your-origins-using-the-aws-managed-prefix-list-for-amazon-cloudfront/

So I think you can use it by configuring the security group as follows.

  LoadBalancerSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: balancer-sg
      VpcId: !ImportValue VPC
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 80
          ToPort: 80
          SourcePrefixListId: prefix-list-id # <-- Add

You can check the prefix list ID using the AWS CLI command below.

aws ec2 describe-managed-prefix-lists --filters Name=prefix-list-name,Values=com.amazonaws.global.cloudfront.origin-facing

Please note that as of May 2024, CloudFront origins cannot communicate with IPv6-only origins, so public IPv4 is required for ALB.
In other words, "dual-stack-without-ipv4" may not work properly.
https://repost.aws/questions/QUOWEDVURTSxWkSlenuHaS4g/cloudfront-support-for-ipv6-origins

profile picture
EXPERT
answered 5 months ago
profile pictureAWS
EXPERT
reviewed 5 months ago
0

Hi, You are absolutely right. You shouldn't allow inbound traffic from anywhere to your containers as it would allow for possible malicious attacks. Your configuration seems correct. The only possible reason I see here is that probably the Load Balancer is not using the Security Group created for it. Could you share your configurations for ALB as well?

answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions