lawestern.blogg.se - Aws waf alb

We have named that condition “trusted-ips”

(Optional) If you want to allow your own ip, without the secret header for testing purposes add an “IP match condition” that will match the IPs you trust.

We’ll create one called “cloudfront-origin-header” that will match when our custom header has the same random value.

Create a new “String matching condition”.

Give the ACL a name and select the region and name of your ALB.

Go to the WAF service page and create a new Web ACL.

You can use any header name and value you like, I opted for “X-Origin-Verify” with a random value

Go to the “Origins” tab of the Distribution you want to use and edit the origin that’s pointing to your ALB.

Here is how to do that (assuming you already have a CloudFront distribution and Application Load Balancer setup). You can replace this lambda with the recently launched WAF (web application firewall) for ALB (application load balancers) . This may limit you in other ways, as you can add only 5 security groups to a resource. This seems fine, but if you want to allow both HTTP and HTTPS, you’ll have to split the 64 rules over two groups. There are now 32 IP ranges used by CloudFront, and you can add only 50 rules in a security group. If you’ve been using a Lambda function to update security groups that grant CloudFront access to your resources, you may have seen problems starting to appear the last few days.