1

I have an AWS API Gateway which should only be accessed by requests coming from Salesforce IP ranges. How do I accomplish that in Cloudformation with AWS::WAFv2::WebACL?

neuro
  • 14,948
  • 3
  • 36
  • 59
Tracy Xia
  • 371
  • 9
  • 22

1 Answers1

4
AWSTemplateFormatVersion:  2010-09-09
Description: 'WAF rule to limit access to requests originating from Salesforce IP ranges only.'

Resources:
  SfdcIPSet:
    Type: AWS::WAFv2::IPSet
    Properties:
      Description: 'Salesforce IP ranges'
      Name: 'SfdcIPSet'
      Scope: REGIONAL
      IPAddressVersion: IPV4
      Addresses:
        - '13.108.0.0/14'
        - '96.43.144.0/20'
        - '136.146.0.0/15'
        - '204.14.232.0/21'
        - '85.222.128.0/19'
        - '185.79.140.0/22'
        - '101.53.160.0/19'
        - '182.50.76.0/22'
        - '202.129.242.0/23'

  SfdcIPRestrictionWebACL:
    Type: AWS::WAFv2::WebACL
    DependsOn:
      - SfdcIPSet
    Properties:
      Name: 'SfdcIPRestrictionWebACL'
      Scope: REGIONAL
      DefaultAction:
        Block: {}
      Description: 'To limit access to Salesforce IP ranges only'
      Rules:
        - Name: 'sfdcIpLimitationRule'
          Priority: 0
          Statement:
            IPSetReferenceStatement:
              ARN: !GetAtt SfdcIPSet.Arn
          Action:
            Allow: {}
          VisibilityConfig:
            SampledRequestsEnabled: true
            CloudWatchMetricsEnabled: true
            MetricName: 'sfdcIpLimitationRule'
      VisibilityConfig:
        SampledRequestsEnabled: true
        CloudWatchMetricsEnabled: true
        MetricName: 'SfdcWebACLMetric'
      Capacity: 1

The list of Salesforce public IP ranges can be found here: https://help.salesforce.com/articleView?id=000321501&type=1&mode=1

To use the WebACL with an API gateway, make sure you use the correct WAFv2 syntax! Like so: 

SfdcWebACLAssociation:
    Type: AWS::WAFv2::WebACLAssociation
    Properties:
      ResourceArn: !FindInMap [EnvironmentMapping, !Ref EnvironmentName, sfdcApiGatewayArn]
      WebACLArn: !FindInMap [EnvironmentMapping, !Ref EnvironmentName, sfdcWebACLArn]

Another somewhat annoying thing I noticed was, with the new view for "WAF & Shield", in AWS Console, you will only see the WAFv2 definitions. Older definitions can only be seen in classic view.

Tracy Xia
  • 371
  • 9
  • 22
  • A challenge I'm having is patterning after the actual wafv2 configurations within the console, and expecting a 1:1 correlation. I'm attempting to model the combination of the webacl rule attachment to an ipset. The options for "If a request matches the statement" include [matches the statement, matches all the statements (AND), matches at least one of the statements (OR), doesn't match the statement (NOT)]. However, I don't see this combination of options in Cloudformation. am I missing something? – CamBeeler Jan 03 '23 at 21:59