How to whitelist Cloudfront IPs in Load Balancer Security Group automatically

Question

Hi All,
Currently I am whitelisting cloudfront IPs by pulling the list of IPs shared by AWS in the URL (https://d7uri8nf7uskq.cloudfront.net/tools/list-cloudfront-ips) and adding all these IPs in Security Group attached with Load Balancer. This process is a manual process. I came to know about "Managed Prefix List" which I guess solve the same purpose, but the IP ranges are different than the JSON list mentioned in the URL shared by AWS as below

https://d7uri8nf7uskq.cloudfront.net/tools/list-cloudfront-ips

The IPs in "Managed Prefix List" are not same in the above list. Which one is the correct list?

Answer

The Managed Prefix List is definitely the way to go.  I know quite a few people who immediately deprecated their other processes when this was released.  The previous Lambda-based solution at https://aws.amazon.com/blogs/security/automatically-update-security-groups-for-amazon-cloudfront-ip-ranges-using-aws-lambda/ now says to use the Managed Prefix List too.

As for why the lists are different, I noticed in https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/LocationsOfEdgeServers.html that there's different terminology used across the options.  The Managed Prefix List contains "IP address ranges of all of CloudFront's globally distributed origin-facing servers", whereas https://d7uri8nf7uskq.cloudfront.net/tools/list-cloudfront-ips contains "IP address ranges that are associated with CloudFront edge servers".  The first sounds like a better list to me.

How to whitelist Cloudfront IPs in Load Balancer Security Group automatically

Relevant content