0

I have a CloudFront Distribution with WAF(Web Application Firewall) attached to it, to restrict public access. I also have a fleet of EC2 instances running under an ASG(autoScaling Group) and I wish to whitelist the EC2 instances to access the CloudFront distribution. Is it possible to create such a configuration in my infrastructure?

Please note that the IP addresses of the EC2 instances are not fixed. They are controlled by the ASG attached. Also, the ASG is created in a public subnet. Any help would be appreciated. Thanks

neuro
  • 14,948
  • 3
  • 36
  • 59
and_roid
  • 1
  • 1

1 Answers1

0

You would have to trigger some sort of script every time the ASG adds an instance, to add the instance's public IP to the WAF.

I would suggest moving the EC2 instances to private subnets with routes to NAT gateways, then you would only have to whitelist the Elastic-IPs of the NAT Gateway(s).

Mark B
  • 183,023
  • 24
  • 297
  • 295
  • Thanks for your suggestion @Mark-b. The second solution to introduce a NAT Gateway along with a private subnet worked for me – and_roid Dec 05 '20 at 18:22