AWS Cloudfront and ELB Security Groups

Question

AWS Cloudfront and ELB Security Groups

Does anyone know how to add your cloud distribution to the inbound security group rules for ELB?

We have a cloud interface setup for a new site that has a white list of security group rules for its origin. I cannot figure out how to configure a security group to allow requests from a cloud distribution ...

any ideas?

+8

amazon-web-services amazon-ec2 amazon-elb amazon-cloudfront

rabs Mar 05 '14 at 4:12

source share

3 answers

Matt beckman · Answer 1 · 2016-02-05T19:22:16+0000

If you follow the link provided by Amir Meler in the comments above, the blog author points to the official AWS Lambda function on Github which will update the security group using CloudFront IP addresses. I used this and it works great.

If you do not like Lambda, you can do it manually .

Note When using the sample test configuration for the first time, update MD5 to match the hash of the current ip-range.json file, or it will be erroneous.

Sony Kadavan · Answer 2 · 2014-03-06T02:25:06+0000

When you say “add source” to the Cloudfront distribution and click on the “Domain Name” field, it lists all of your AWS resources from this account (including ELB). You can just select it.

However, the security group associated with your ELB must allow public access (HTTP / HTTPS, 0.0.0.0/0). This is no less secure, because in any case you want the public to access ELB through cloudfront. The moment you make things available through the CDN is for sharing. Thus, I set up ELB security groups. Open to other offers!

Now for the EC2 security group for ELB: Here you should not allow public access. Instead, only allow access from the ELB security group (you can achieve this by selecting the ELB security group from the list instead of entering the incoming IP address.

Now it can be configured a little differently if the source is S3. Here you do not need to publish a bucket. Instead, restrict access to the bucket using the Bucket policy (without any security groups here), allowing only the access identifier for the source IAM kernel. Learn more here - Serving personal content through CloudFront - Amazon CloudFront

einarc · Answer 3 · 2019-05-24T00:50:56+0000

This is more a question than an answer, but it contains the following:

Step 1. Get the data here: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/LocationsOfEdgeServers.html → http://d7uri8nf7uskq.cloudfront.net/tools/list-cloudfront-ips

Step 2: Create a Security Group with Data ...

Part of the question: Why the hell does the AWS API have a limit on the number of rules that is LESS than the number of endpoints of its services ...

This is what happens when you call the API (which is exactly how I ended up here): HTTP: 400 ->

AWS Cloudfront and ELB Security Groups

More articles: