{"id":74233,"date":"2025-08-28T00:48:57","date_gmt":"2025-08-27T19:18:57","guid":{"rendered":"https:\/\/www.tothenew.com\/blog\/?p=74233"},"modified":"2026-01-02T18:08:26","modified_gmt":"2026-01-02T12:38:26","slug":"securing-aws-alb-behind-cloudfront-using-waf-and-security-groups","status":"publish","type":"post","link":"https:\/\/www.tothenew.com\/blog\/securing-aws-alb-behind-cloudfront-using-waf-and-security-groups\/","title":{"rendered":"Securing AWS ALB Behind CloudFront: Using WAF and Security Groups"},"content":{"rendered":"

Introduction<\/strong><\/h2>\n

A pretty common AWS setup is CloudFront in front of an Application Load Balancer (ALB). CloudFront improves performance and gives you some security features \u201cfor free.\u201d But if you leave the ALB wide open, anyone can bypass CloudFront and hit it directly – not ideal.<\/p>\n

This documentation outlines two effective methods for restricting direct traffic to an Application Load Balancer (ALB) and ensuring that all traffic is routed through Amazon CloudFront.<\/p>\n

\"When

.<\/p><\/div>\n

There are two practical ways to stop that:<\/strong><\/p>\n

    \n
  1. Use AWS WAF with a secret header.<\/li>\n
  2. Lock down the ALB\u2019s Security Group to CloudFront IPs.<\/li>\n<\/ol>\n

    Best practice: don\u2019t pick one or the other. Use both.<\/p>\n

    Method 1<\/strong>: Restricting Direct Traffic Using AWS WAF<\/p>\n

    Architecture Overview<\/strong><\/h2>\n

    WAF acts like a filter for HTTP\/S traffic. The trick here is to add a hidden header in CloudFront. WAF checks for it, and if it\u2019s missing, the request gets dropped before it touches your ALB.<\/p>\n

    Architecture Diagram<\/p>\n

    \"Restricting-Direct-Traffic-Using-AWS-WAF<\/h2>\n

    Implementation Steps<\/strong><\/h2>\n
      \n
    1. Add a custom header in CloudFront<\/li>\n<\/ol>\n
        \n
      • Go to the CloudFront<\/strong> console \u2192 find your distribution<\/strong>.<\/li>\n
      • Edit the ALB origin<\/strong>.<\/li>\n
      • Add a header<\/strong> with a secret key\/value.<\/li>\n
      • Save<\/strong> it somewhere safe; you\u2019ll need it for WAF.<\/li>\n<\/ul>\n

        2. Set up a WAF rule<\/p>\n

          \n
        • Open WAF<\/strong> console, create\/choose a Web ACL<\/strong>.<\/li>\n
        • Attach it to your ALB<\/strong>.<\/li>\n
        • Add a rule<\/strong> that blocks anything without the header.<\/li>\n
        • Put it at the top priority.<\/li>\n<\/ul>\n

          Testing and Validation<\/h2>\n
            \n
          • Run curl directly against the ALB \u2192 should get blocked.<\/li>\n
          • Go via CloudFront \u2192 should work.<\/li>\n
          • Turn on WAF logging, watch in CloudWatch to confirm only valid requests pass.<\/li>\n<\/ul>\n

            Cost Considerations<\/h2>\n
              \n
            • WAF pricing = ACLs + rules + number of requests.<\/li>\n
            • Extra cost if you enable logging.<\/li>\n
            • CloudFront costs stay the same, just expect a slight bump in total spend.<\/li>\n<\/ul>\n

              Method 2: Restricting Direct Traffic Using Security Groups<\/h2>\n

              Architecture Overview<\/h2>\n

              Security Groups are AWS\u2019s built-in firewall. You can just say: only let CloudFront IP ranges in. AWS maintains a managed prefix list for CloudFront, so you don\u2019t have to babysit changing IPs yourself.<\/p>\n

              Architecture Diagram<\/h3>\n

              \"Restricting-Direct-Traffic-Using-Security-Groups<\/p>\n

              Implementation Steps<\/h2>\n
                \n
              • Open the EC2 console<\/strong>, go to your ALB.<\/strong><\/li>\n
              • Under Security, click the Security Group<\/strong>.<\/li>\n
              • Edit inbound<\/strong> rules.<\/li>\n
              • Remove 0.0.0.0\/0<\/strong> if it\u2019s there (after adding the new rule first).<\/li>\n
              • Add a new inbound rule:<\/li>\n
              • Protocol = HTTPS (or what you need).<\/li>\n
              • Source = AWS-managed CloudFront prefix list.<\/li>\n
              • Save<\/strong>.<\/li>\n<\/ul>\n

                Testing and Validation<\/h2>\n
                  \n
                • Try hitting the ALB DNS directly \u2192 should fail.<\/li>\n
                • Test through CloudFront \u2192 should succeed.<\/li>\n
                • Double-check ALB access logs and CloudWatch metrics.<\/li>\n<\/ul>\n

                  Cost Considerations<\/h2>\n

                  Security Groups Costs:<\/h3>\n
                    \n
                  • Security Groups themselves do not incur additional costs beyond the standard AWS charges for EC2 and ALB. However, the complexity of rules may impact the management overhead.<\/li>\n
                  • Regular review and optimization of security group rules can help avoid unnecessary complexity and potential performance issues.<\/li>\n<\/ul>\n

                    CloudFront Costs:<\/strong><\/h3>\n
                      \n
                    • As with AWS WAF, using CloudFront in conjunction with Security Groups will affect your overall AWS costs. Review the CloudFront pricing page to understand how it may impact your budget.<\/li>\n<\/ul>\n

                      Best Approach for Restricting Traffic :<\/strong><\/h2>\n

                      Combine WAF and Security Groups<\/strong><\/p>\n

                        \n
                      • Each method has strengths. SGs work at the network layer; WAF works at the application layer. If one fails, the other is still standing.<\/li>\n
                      • Think of it like: SG = locked door, WAF = alarm system. Together, your ALB is harder to reach, and CloudFront remains the only valid way in.<\/li>\n<\/ul>\n

                        Conclusion<\/strong><\/h2>\n

                        The safest option is to apply both WAF and SG restrictions. That way, your ALB isn\u2019t left exposed, and all requests have to pass through CloudFront first. It gives you performance benefits plus a solid security posture.<\/p>\n","protected":false},"excerpt":{"rendered":"

                        Introduction A pretty common AWS setup is CloudFront in front of an Application Load Balancer (ALB). CloudFront improves performance and gives you some security features \u201cfor free.\u201d But if you leave the ALB wide open, anyone can bypass CloudFront and hit it directly – not ideal. This documentation outlines two effective methods for restricting direct […]<\/p>\n","protected":false},"author":1606,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"iawp_total_views":33},"categories":[2348],"tags":[1216],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/74233"}],"collection":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/users\/1606"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/comments?post=74233"}],"version-history":[{"count":6,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/74233\/revisions"}],"predecessor-version":[{"id":77285,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/74233\/revisions\/77285"}],"wp:attachment":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/media?parent=74233"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/categories?post=74233"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/tags?post=74233"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}