AWS Restrict access from cloudfront to load balancer

Question

I'm using Cloudfront with load balancing and ec2 instances.

In AWS, my load balancer accepts traffic from all http connections. It is possible to restrict that to accept only http connections from my Cloudfront distributions ? And how can I do that ?

Thanks.

ELB incoming traffic cannot be restricted unless they are inside VPC — Rakesh Bollampally, Oct 24 '14 at 15:03

score 2 · Answer 1 · answered Feb 07 '20 at 04:43

2

There is now a solution for this. There is now a lambda that listens for IP updates from amazon and will update your security groups with the cloudfront IPs.

Lambda to update Security Groups with Cloudfront IPs

answered Feb 07 '20 at 04:43

WaltDe

1,715
8
17

score 1 · Accepted Answer · answered Oct 22 '14 at 12:54

AFAIK, you can't do this at layer 3 as an ELB will allow access from anywhere (0.0.0.0/0).

If you're running Apache and can find a specific header that cloudfront uses/sets then you could do this at layer 7 using mod_headers.

According to http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/RequestAndResponseBehaviorCustomOrigin.html cloudfront will set the Header Via to 1.1 alphanumeric-string.cloudfront.net, so you could match this in your virtualhost by doing something like:

SetEnvIf Via "^1\.1\ [a-z0-9]+\.cloudfront\.net$ VIA_CLOUDFRONT
<LocationMatch /origin/>
    Options -Indexes
    Order deny,allow
    Deny from all

    # allow from cloudfront only
    Allow from env=VIA_CLOUDFRONT
</LocationMatch>

AWS Restrict access from cloudfront to load balancer

2 Answers2

Linked