09/12/2016 Ben Bridts

Using the Application Load Balancer and WAF to replace CloudFront Security Groups

If you’ve been using a Lambda function to update security groups that grant CloudFront access to your resources, you may have seen problems starting to appear the last few days. There are now 32 IP ranges used by CloudFront, and you can add only 50 rules in a security group. This seems fine, but if you want to allow both HTTP and HTTPS,  you’ll have to split the 64 rules over two groups. This may limit you in other ways, as you can add only 5 security groups to a resource.

You can replace this lambda with the recently launched WAF  (web application firewall) for ALB (application load balancers) .

Here is how to do that (assuming you already have a CloudFront distribution and Application Load Balancer setup).

CloudFront configuration

  1. Go to the “Origins” tab of the Distribution you want to use and edit the origin that’s pointing to your ALB.
  2. Add a new Origin Custom Header. You can use any header name and value you like, I opted for “X-Origin-Verify” with a random value
    edit origin

WAF/ALB Configuration

  1. Go to the WAF service page and create a new Web ACL
  2. Give the ACL a name and select the region and name of your ALB
    acl config
  3. Create a new “String matching condition”. We’ll create one called “cloudfront-origin-header” that will match when our custom header has the same random value.
    header-rule
  4. (Optional) If you want to allow your own ip, without the secret header for testing purposes add an “IP match condition” that will match the IPs you trust. We have named that condition “trusted-ips”
    ip condition
  5. Now we can create a rule to allow requests that match the conditions we created. Click on “Create rule”  to create a rule for all requests with our custom header.
    header rule
  6. (Optional) Do the same for a rule with the IP condition
    trusted ip rule
  7. Configure the ACL to allow the rules we just created and block all requests that don’t match any rules
    acl create

Result

If you surf directly to the ALB with an untrusted IP address, you should now see a 403 page:

screenshot-2016-12-09-15-35-28

However, when you add the Custom header, or go through CloudFront, you are allowed to visit the website:

curl alb allowedcurl cloudfront

Caveats

This service is very new, so while setting this up, we ran into some rough edges. We’ve opened  a support request so that AWS can look into fixing those.

  • You can’t see the ACLs you created inside a region (WAF for CloudFront is a global service) if you use the CLI. According the the documentation, you should be able to do this if you override the endpoint url. At the time of writing this gives errors. If you want to try if this has been fixed you can use this command: aws waf list-web-acls --endpoint-url https://waf-regional.us-east-1.amazonaws.com
  • Currently there are no metrics available for the WAF inside a region (even though you have to specify a metric name for the rules and conditions you create).
  • If there are no healthy hosts in the target group of your ALB, you will always get a 503 error response. Even if the requests gets blocked by the WAF.

Leave a Reply

Your email address will not be published. Required fields are marked *