DEV Community πŸ‘©β€πŸ’»πŸ‘¨β€πŸ’»

Kasper Sanguesa-Franz
Kasper Sanguesa-Franz

Posted on

How to only allow CloudFront traffic to your ALB

Introduction

Last year we migrated a part of our website from one CDN provider to AWS CloudFront; One of the first questions that came up when reviewing the migration was how do we add all of the constantly changing IP ranges for CloudFront? CloudFront got over 150 IP ranges, while our existing CDN provider only had around 20, which rarely changed; This was manageable to keep up-to-date in our CloudFormation templates.

Pre-2022 Solution

The suggested solution by AWS in mid-2021 was to trigger a Lambda function by an SNS topic.
The lambda function would then download ip-ranges.json and update a security group with the CloudFront IP ranges.

This solution still works and allows us to migrate to CloudFront without giving public access to our Application Load Balancer.

2022 Solution

AWS already had managed prefix lists for S3 and DynamoDB, so when they announced AWS-managed prefix list for Amazon CloudFront I knew it would be an easy way to simplify our ALB.

You add the prefix list like you would add any other CIDR block range in your security group.
Security Group - Prefix list

The prefix list ID is unique for each region - for Ireland, the prefix list ID is pl-4fa04526.

If you like us are using CloudFormation, you can utilise the new CloudFront prefix in your templates files.

CloudFormation template

I have created a sample CloudFormation template below.

Description: Security Group with access from CloudFront

Mappings:
  region:
    'us-east-1':
      PrefixListCloudFront: 'pl-3b927c52'
    'us-east-2':
      PrefixListCloudFront: 'pl-b6a144df'
    'us-west-1':
      PrefixListCloudFront: 'pl-4ea04527'
    'us-west-2':
      PrefixListCloudFront: 'pl-82a045eb'
    'af-south-1':
      PrefixListCloudFront: 'pl-c0aa4fa9'
    'ap-east-1':
      PrefixListCloudFront: 'pl-14b2577d'
    'ap-south-1':
      PrefixListCloudFront: 'pl-9aa247f3'
    'ap-northeast-2':
      PrefixListCloudFront: 'pl-22a6434b'
    'ap-southeast-1':
      PrefixListCloudFront: 'pl-31a34658'
    'ap-southeast-2':
      PrefixListCloudFront: 'pl-b8a742d1'
    'ap-northeast-1':
      PrefixListCloudFront: 'pl-58a04531'
    'ca-central-1':
      PrefixListCloudFront: 'pl-38a64351'
    'eu-central-1':
      PrefixListCloudFront: 'pl-a3a144ca'
    'eu-west-1':
      PrefixListCloudFront: 'pl-4fa04526'
    'eu-west-2':
      PrefixListCloudFront: 'pl-93a247fa'
    'eu-south-1':
      PrefixListCloudFront: 'pl-1bbc5972'
    'eu-west-3':
      PrefixListCloudFront: 'pl-75b1541c'
    'eu-north-1':
      PrefixListCloudFront: 'pl-fab65393'
    'me-south-1':
      PrefixListCloudFront: 'pl-17b2577e'
    'sa-east-1':
      PrefixListCloudFront: 'pl-5da64334'
Resources:
  LoadBalancerSG:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupName: "lb-sg"
      GroupDescription: "Load balancer"
      VpcId: "vpc-088e128e80fe96e6e"
      Tags:
        - Key: Name
          Value: Load Balancer SG
      SecurityGroupIngress:
      - IpProtocol: tcp
        FromPort: 443
        ToPort: 443
        SourcePrefixListId: !FindInMap [region, !Ref 'AWS::Region', PrefixListCloudFront]
        Description: HTTPS from CloudFront
Enter fullscreen mode Exit fullscreen mode

Top comments (0)

🌚 Browsing with dark mode makes you a better developer.

It's a scientific fact.