How do I restrict direct traffic to an Application Load Balancer and allow traffic through only CloudFront?

I want to restrict direct access to an Application Load Balancer and allow access through only Amazon CloudFront.

Short description

To restrict direct traffic to an Application Load Balancer and allow access only through CloudFront, use one or both of the following solutions:

Note: It's a best practice to combine the two following solutions.

Resolution

AWS WAF

To use AWS WAF to restrict direct traffic to an Application Load Balancer and allow traffic through only CloudFront, do the following:

  1. Configure CloudFront to add a custom HTTP header with a secret value in the requests that CloudFront sends to the Application Load Balancer.
  2. Create a rule in the AWS WAF web access control list (web ACL) associated with the Application Load Balancer. Use this rule to block requests that don't contain the custom HTTP header secret value.

Configure CloudFront to add a custom HTTP header

Complete the following:

  1. Open the Amazon CloudFront console.
  2. From the navigation pane, choose Distributions.
  3. Select your distribution ID.
  4. Choose Origins.
  5. Select your Application Load Balancer, and then choose Edit.
    Note: If your Application Load Balancer isn't an origin, then update your distribution and set the Application Load Balancer as an origin.
  6. For Add custom header, enter the Header name and Value.
    Important: The Header name and Value act as secure credentials, such as a username and password. Copy these values to a text file to use later in this procedure.
  7. Choose Save changes.

Create a rule in your web ACL to block requests without the header

Complete the following:

  1. Open the AWS WAF console.
  2. In the navigation pane, under AWS WAF, choose Web ACLs.
  3. For Region, select the AWS Region where your Application Load Balancer is located.
    Note: If you already have an existing web ACL associated to your Application Load Balancer, then skip ahead to step 9.
  4. Choose Create web ACL, and then enter a Name.
  5. For Associated AWS resources, select your Application Load Balancer, and then choose Next.
  6. For Default web ACL action for requests that don't match any rules, choose Allow, and then choose Next.
  7. For Request sampling options, choose Enable sampled requests, and then choose Next.
  8. Choose Create web ACL.
  9. Open the AWS WAF console.
  10. In the navigation pane, under AWS WAF, choose Web ACLs.
  11. For Region, select the Region where your Application Load Balancer is located.
  12. Select the web ACL associated to your Application Load Balancer.
  13. Under Rules, choose Add Rules, and then choose Add my own rules and rule groups.
  14. For Name, enter your rule name.
  15. For Type, choose Regular Rule.
  16. For If a request, choose doesn't match the statement (NOT).
  17. Configure the following settings under Statement 1:
    For Inspect, choose Single Header.
    For Header field name, enter the Header name that you created in CloudFront.
    For Match type, choose Exactly matches string.
    For String to match, enter the Value that you created in CloudFront.
    For Text transformation, choose None.
  18. For Action, choose Block.
  19. Choose Save rule.
  20. For Set rule priority, if you have multiple rules, then set this rule to the highest priority.
  21. Choose Save.

Security groups

You can use security groups to restrict direct traffic to an Application Load Balancer and allow traffic through only CloudFront. To do this, use an AWS managed prefix list on security groups in the Application Load Balancer.

To update an existing security group, follow the steps in Update the associated security groups. To associate your Application Load Balancer with a security group, complete the following:

  1. Open the Amazon EC2 console.
  2. Select Load balancers, and then select the Application Load Balancer that you want to restrict direct access to.
  3. Choose Security.
  4. Select the security group that you want to associate with your Application Load Balancer.
  5. To modify the inbound rules, select Edit inbound rules, and then update the configurations to your use case.
    Note: If you have a rule that allows 0.0.0.0/0, then you must add a new rule before you delete the existing rule.
  6. To allow specific protocols, select the protocol and then choose Custom.
  7. For Source type, choose CloudFront, and then select your prefixes from the AWS managed prefix list.
  8. Choose Save.

To configure more restrictive settings, it's a best practice to allow only ports used by your Application Load Balancer.

Note: The CloudFront managed prefix list can only be added once per security group under the default settings due to the prefix list weight. To add another rule with CloudFront as the Source type in the same security group, request a quota increase. Or, use two security groups that both reference the CloudFront managed prefix list.