WAF + cloud front block IP

Question

I have successfully blocked an IP in waf which is configured to work with Cloud front

Is there a way to block IP address before it reaches cloudfront? It wouldn’t seem possible as I tried blocked in ACL which prevents access to my servers, but since cloudfront and WAF are in front to handle all requests I seem stuck.

I am trying to save money on my bill as this counts against total requests.

Is there any way?

score 3 · Accepted Answer · answered Sep 07 '19 at 22:28

3

There is no way to block a request "before" it arrives at CloudFront, since there isn't anything before CloudFront in the chain.

This is true even when you use WAF "in front." WAF is an adjunct platform -- unlike a "firewall" as you might typically imagine one, WAF isn't actually in front of CloudFront, and traffic doesn't actually pass through it. Instead, when CloudFront receives each new request, it forwards a copy of the first ~16kB of headers and body plus some metadata to WAF, which analyzes it and returns an allow/deny decision based on your rules. CloudFront then enforces the decision of WAF by continuing to process the request or by immediately denying it.

answered Sep 07 '19 at 22:28

Michael - sqlbot

22,658
2
63
86

What about blocking it in access control in VPC? – Chris Muench Sep 07 '19 at 22:57
CloudFront is not inside VPC. VPC Security Groups and Network ACLs would only be able to see the IP addresses of CloudFront itself, as it accessed your servers or load balancers. – Michael - sqlbot Sep 07 '19 at 23:08
Got it. Didn’t know if there was a way to do that – Chris Muench Sep 07 '19 at 23:19

WAF + cloud front block IP

1 Answers1