- Newest
- Most votes
- Most comments
Hello.
Try registering CloudFront's managed prefix list in the security group's inbound rules.
By registering this, you can allow communication from CloudFront.
https://docs.aws.amazon.com/vpc/latest/userguide/working-with-aws-managed-prefix-lists.html#available-aws-managed-prefix-lists
https://aws.amazon.com/jp/blogs/networking-and-content-delivery/limit-access-to-your-origins-using-the-aws-managed-prefix-list-for-amazon-cloudfront/
So I think you can use it by configuring the security group as follows.
LoadBalancerSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: balancer-sg
VpcId: !ImportValue VPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
SourcePrefixListId: prefix-list-id # <-- Add
You can check the prefix list ID using the AWS CLI command below.
aws ec2 describe-managed-prefix-lists --filters Name=prefix-list-name,Values=com.amazonaws.global.cloudfront.origin-facing
Please note that as of May 2024, CloudFront origins cannot communicate with IPv6-only origins, so public IPv4 is required for ALB.
In other words, "dual-stack-without-ipv4" may not work properly.
https://repost.aws/questions/QUOWEDVURTSxWkSlenuHaS4g/cloudfront-support-for-ipv6-origins
Hi, You are absolutely right. You shouldn't allow inbound traffic from anywhere to your containers as it would allow for possible malicious attacks. Your configuration seems correct. The only possible reason I see here is that probably the Load Balancer is not using the Security Group created for it. Could you share your configurations for ALB as well?
Relevant content
- Accepted Answerasked 10 months ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated a month ago
- AWS OFFICIALUpdated a year ago