AWS maintains a list of IP addresses used by the Cloudfront edge locations worldwide. We need to allow these IP addresses in the security group of the load balancer attached as the origin of a CloudFront distribution. This will ensure only the traffic from the Cloudfront distribution will be allowed in the load balancer.
When AWS updates the list of maintained IP addresses, it needs to be updated in the security group as well. Otherwise, traffic from the new Cloudfront edge IPs will fail to reach the load balancer. AWS provides a hacky solution to update the security group rules using a lamda function. Details mentioned in this blog. However, there are challenges associated with this approach which led companies to allow all traffic (0.0.0.0/0) from all the locations in the security group.
Until recently, AWS released a managed prefix list for the Cloudfront distribution. Link to the article. We can whitelist the prefix list in the load balancer security group and restrict access from the Cloudfront edge locations.
Let us whitelist the Cloudfront managed prefix list in the load balancer security group. I will show you how to do it via Terraform and from the AWS console.
Whitelisting via Terraform
Following example will create a security group (lb-sg-id) and attach the Cloudfront managed prefix list in the security group. Later, the security group will be attached to the load balancer.
data "aws_ec2_managed_prefix_list" "cdn-ips" {
name = "com.amazonaws.global.cloudfront.origin-facing"
}
resource "aws_security_group" "lb-sg-id" {
name = "lb-sg-id"
vpc_id = aws_vpc.prod-vpc.id
}
resource "aws_security_group_rule" "ingress-cdn-ips" {
description = "CloudFront IPs"
security_group_id = aws_security_group.lb-sg-id.id
type = "ingress"
from_port = 443
to_port = 443
protocol = "tcp"
prefix_list_ids = [data.aws_ec2_managed_prefix_list.cdn-ips.id]
}
Output:
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# aws_security_group.lb-sg-id will be created
+ resource "aws_security_group" "lb-sg-id" {
+ arn = (known after apply)
+ description = "Managed by Terraform"
+ egress = (known after apply)
+ id = (known after apply)
+ ingress = (known after apply)
+ name = "lb-sg-id"
+ name_prefix = (known after apply)
+ owner_id = (known after apply)
+ revoke_rules_on_delete = false
+ tags_all = (known after apply)
+ vpc_id = "vpc-063ac1eb838452476"
}
# aws_security_group_rule.lb_ingress_cloudfront will be created
+ resource "aws_security_group_rule" "ingress-cdn-ips" {
+ description = "HTTPS from CloudFront"
+ from_port = 443
+ id = (known after apply)
+ prefix_list_ids = [
+ "pl-9aa247f3",
]
+ protocol = "tcp"
+ security_group_id = (known after apply)
+ self = false
+ source_security_group_id = (known after apply)
+ to_port = 443
+ type = "ingress"
}
Plan: 2 to add, 0 to change, 0 to destroy.
Whitelisting via AWS Console
Follow the steps given below:
- Login to the AWS console. Navigate to the VPC section.
- Select “Managed prefix lists“.
- Copy the prefix ID with the name com.amazonaws.global.cloudfront.origin-facing
- Go to EC2 console. Then, security groups. Select the security group ID.
- Select inbound rules. Edit inbound rules. Add rule. Add the load balancer port and paste the managed prefix list ID copied from step-3 in the source field.
Now, the load balancer will be reachable from the Cloudfront distribution IPs only.