How do I ensure that no traffic goes to my NodeBalancer unelss it comes through AWS CloudFront?
I recently setup AWS CloudFront and WAF to secure my website hosted on a linode servers behind a NodeBalancer.
Right now… CloudFront is sending taffic to the NodeBalancer (that works). However… I want to implement a firewall rule for the NodeBalancer that drops all traffic UNLESS it comes from CloudFront.
Amazon provides me with this list
curl -O https://ip-ranges.amazonaws.com/ip-ranges.json
but its a long list. And they recommend that you programmatically use this URL to keep up to date with Amazon IPs.
My Firewalls don't give me any low level access to do any special configs like this. So how is a setup like this achieved in linode?
GA
1 Reply
CassandraD
Linode Staff
You can use the Linode API or CLI to programmatically update Cloud Firewall Rules. Our Cloud Firewalls can be used with NodeBalancers, so that may be an option for you.
There are some limitations for our Cloud Firewall service that you may want to look over, including this:
A maximum of 255 IP addresses (and ranges) can be added to each Cloud Firewall rule.
If you only have to add the IPs Ranges that mention CloudFront specifically, this shouldn't be too bad as there are 256. I think you could just make an additional rule to cover the extra IP/Range:
curl -sL https://ip-ranges.amazonaws.com/ip-ranges.json | grep CLOUDFRONT | wc -l
256
However, if you need to add all of the IPs in that document, that's a bit of a challenge.
curl -sL https://ip-ranges.amazonaws.com/ip-ranges.json | grep prefix | wc -l
11097
I've never seen a Firewall with 11k IPs involved, so I'm not sure how that would go. Hopefully you only need the CloudFront IPs. If so, you can use this command to isolate them for your API call, which may be easier with some kind of scripting.
curl -sL https://ip-ranges.amazonaws.com/ip-ranges.json | grep -A2 -B3 CLOUDFRONT