0

We have a static site to be exposed via AWS CloudFront. However, we want to restrict access to anyone who is on the VPC only. How can we achieve this?

We did some research but the only viable solution we saw was putting a WAF in front of the CloudFront.But is this the correct way to achieve this?

Signed URLs is not an option for us, we need the site to work as a normal website to the users.

We have uses in different parts of the world, who connects to the same VPC. But the real reason for this is a bit complicated. It's not a simple set of static files & some company policies, etc in the play.

We have a lot of VPC peering or transit gateways which is handled by an external team, and we have very little visibility. Thus WAF with IP range limiting is hard to implement or not possible.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
Milindu Sanoj Kumarage
  • 2,714
  • 2
  • 31
  • 54
  • 4
    _Why_ do you wish to do this? The benefit of Amazon CloudFront is that it caches content closer to users. Only accessing a CloudFront distribution from one location defeats the purpose of using CloudFront. – John Rotenstein Feb 08 '20 at 05:23
  • We have uses in different parts of the world, who connects to the same VPC. But the real reason for this is a bit complicated. It's not a simple set of static files and some company policies etc. Let's say we are stuck with CloudFront. – Milindu Sanoj Kumarage Feb 08 '20 at 05:34
  • Please let me know if you feel your situation is different to the suggested duplicate answer. You would restrict by using a WAF with IP addresses. This would be made easier if all traffic exits the VPC via a NAT Gateway, which can provide a single IP address to whitelist. – John Rotenstein Feb 08 '20 at 05:41
  • @JohnRotenstein Can we restrict the access to a CloudFront to anyone who is in VCP with WAF? But the CloudFront's default domain they provide, foobardfvfvsdfv.cloudfront.net is still accessible to anyone, isn't it? I'm not familiar with WAF and adding an additional service, WAF, in front is the correct way of doing this as I mentioned in the question also? – Milindu Sanoj Kumarage Feb 08 '20 at 06:11
  • @JohnRotenstein also note, we have lot of VPC peering or transit gateways which is handled by an external team, and we have very little visibility. – Milindu Sanoj Kumarage Feb 08 '20 at 06:15
  • The only way to restrict access to CloudFront is geo-restriction (eg countries, regions), or linking a WAF to the CloudFront distribution. The WAF will need IP addresses for the restriction, not just "coming from a VPC". (You can also restrict access based on signed URLs/cookies, but that would require changes to the calling application.) – John Rotenstein Feb 08 '20 at 11:19
  • Hope you can see my need is different than the duplicated question. Can you please unmark this as a duplicate? Let's see anyone has a workaround to achieve this. Thanks for the clarification. But signed URLs is also not a solution for me as I mentioned in the question. Also, CloudFront's default domain they provide, foobardfvfvsdfv.cloudfront.net is still accessible to anyone, isn't it? Can you convert your comment to an answer? We can discuss it there. – Milindu Sanoj Kumarage Feb 08 '20 at 11:37
  • 2
    I have reopened the question, but I suggest you add LOTS of details into your question to explain your exact situation. You really have not provided much information **in the question** so far. – John Rotenstein Feb 08 '20 at 12:04
  • I didn't want to add too many unwanted data into the question. I thought "coming from a VPC" will make people realize, limiting by IP is not what I want. But I added this info to the question anyway. Also, can you add your comments an answer? I have some more questions to ask. – Milindu Sanoj Kumarage Feb 08 '20 at 12:19
  • 1
    "I thought "coming from a VPC" will make people realize, limiting by IP is not what I want." But all traffic exiting your VPC should be coming from the elastic IPs assigned to the VPC's NAT Gateway's. So that gives you a very easy way to restrict all traffic to the VPC. How else would you propose to restrict access to something on the public Internet from "only the VPC"? – Mark B Feb 08 '20 at 14:09
  • 1
    And going back to John's original comment, your users may be connecting from all over the world, but they are all connecting THROUGH the VPC, so at that point they are all accessing CloudFront from a single location (the AWS region where the VPC resides), so you are definitely defeating the entire point of using CloudFront. – Mark B Feb 08 '20 at 14:10
  • @MarkB "but they are all connecting THROUGH the VPC" I was not sure about this. Thanks for clearing this out. But having people across the world is not the main reason as I said. We have several AWS accounts connected either by VPC-peering or by transit gateways and these are handled by a network team. We have no visibility over this. 1. How I can find the IP range in such a scenario? 2. Can't someone still access the CloudFront via CloudFront's default domain, foobardfvfvsdfv.cloudfront.net? – Milindu Sanoj Kumarage Feb 08 '20 at 14:32
  • @MilinduSanojKumarage 1. "but they are all connecting THROUGH the VPC" I was not sure about this: That's literally what you are asking how to configure... 2. "How I can find the IP range": Look in the AWS console or ask someone with the appropriate permissions to look. 3. "Can't someone still access the CloudFront via CloudFront's default domain": Not if you restrict access to only the VPC... I feel like we are going in circles here and you don't have a good understanding of what you want. – Mark B Feb 08 '20 at 14:58
  • 1. @MarkB What I want is to restrict the CloudFront only to someone in the VPC. ( Which I was not sure was, if it is from the same point people will be accessing the CloudFront or different people on different parts of the world would be able to access it via different points of VCP which is closer to them, but you clarified this. Thanks for that. )2. Someone who has access told me there are no NAT Gateways in the AWS account that this CloudFront is in. What else I should be looking into? If you can be specific I would be thankful. – Milindu Sanoj Kumarage Feb 08 '20 at 15:11
  • 3.WAF works like a middle layer between user and CloudFront, right? If someone got to know of the CloudFront URL, they won't be able to still access it directly? I'm new to VPC and WAF stuff and this conversation helped me understand things. – Milindu Sanoj Kumarage Feb 08 '20 at 15:11
  • Do you mind if I convert this to a chat? – Milindu Sanoj Kumarage Feb 08 '20 at 15:12
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/207459/discussion-between-mark-b-and-milindu-sanoj-kumarage). – Mark B Feb 08 '20 at 15:24
  • @JohnRotenstein the "why" would be internal product documentation, and only those with access to the vpc should have access to it. – Dragas Dec 29 '22 at 14:27

0 Answers0