Introduction
Last year we migrated a part of our website from one CDN provider to AWS CloudFront; One of the first questions that came up when reviewing the migration was how do we add all of the constantly changing IP ranges for CloudFront? CloudFront got over 150 IP ranges, while our existing CDN provider only had around 20, which rarely changed; This was manageable to keep up-to-date in our CloudFormation templates.
Pre-2022 Solution
The suggested solution by AWS in mid-2021 was to trigger a Lambda function by an SNS topic.
The lambda function would then download ip-ranges.json and update a security group with the CloudFront IP ranges.
This solution still works and allows us to migrate to CloudFront without giving public access to our Application Load Balancer.
2022 Solution
AWS already had managed prefix lists for S3 and DynamoDB, so when they announced AWS-managed prefix list for Amazon CloudFront I knew it would be an easy way to simplify our ALB.
You add the prefix list like you would add any other CIDR block range in your security group.
The prefix list ID is unique for each region - for Ireland, the prefix list ID is pl-4fa04526.
If you like us are using CloudFormation, you can utilise the new CloudFront prefix in your templates files.
CloudFormation template
I have created a sample CloudFormation template below.
Description: Security Group with access from CloudFront
Mappings:
region:
'us-east-1':
PrefixListCloudFront: 'pl-3b927c52'
'us-east-2':
PrefixListCloudFront: 'pl-b6a144df'
'us-west-1':
PrefixListCloudFront: 'pl-4ea04527'
'us-west-2':
PrefixListCloudFront: 'pl-82a045eb'
'af-south-1':
PrefixListCloudFront: 'pl-c0aa4fa9'
'ap-east-1':
PrefixListCloudFront: 'pl-14b2577d'
'ap-south-1':
PrefixListCloudFront: 'pl-9aa247f3'
'ap-northeast-2':
PrefixListCloudFront: 'pl-22a6434b'
'ap-southeast-1':
PrefixListCloudFront: 'pl-31a34658'
'ap-southeast-2':
PrefixListCloudFront: 'pl-b8a742d1'
'ap-northeast-1':
PrefixListCloudFront: 'pl-58a04531'
'ca-central-1':
PrefixListCloudFront: 'pl-38a64351'
'eu-central-1':
PrefixListCloudFront: 'pl-a3a144ca'
'eu-west-1':
PrefixListCloudFront: 'pl-4fa04526'
'eu-west-2':
PrefixListCloudFront: 'pl-93a247fa'
'eu-south-1':
PrefixListCloudFront: 'pl-1bbc5972'
'eu-west-3':
PrefixListCloudFront: 'pl-75b1541c'
'eu-north-1':
PrefixListCloudFront: 'pl-fab65393'
'me-south-1':
PrefixListCloudFront: 'pl-17b2577e'
'sa-east-1':
PrefixListCloudFront: 'pl-5da64334'
Resources:
LoadBalancerSG:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: "lb-sg"
GroupDescription: "Load balancer"
VpcId: "vpc-088e128e80fe96e6e"
Tags:
- Key: Name
Value: Load Balancer SG
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 443
ToPort: 443
SourcePrefixListId: !FindInMap [region, !Ref 'AWS::Region', PrefixListCloudFront]
Description: HTTPS from CloudFront
Top comments (0)