DEV Community

Cover image for How to secure and ensure the internet-facing application load balancer only allow traffic from CloudFront?
Mike Ng for AWS Community Builders

Posted on

How to secure and ensure the internet-facing application load balancer only allow traffic from CloudFront?

Architecture Diagram

For every created internet-facing load balancer in AWS, they will have a public hostname. At most of the situation, a CloudFront distribution will be sitting in front of the load balancer for caching the static content and accelerate the delivery. And a WAF web ACL may create along and associate with the CloudFront distribution to provide application security. Or some Lambda@Edge function may create for customizing the content on the CloudFront distribution.

And now the problem is if the public hostname of the load balancer was exposed to the internet, the hacker on the internet can be bypassing the web ACL at the CloudFront distribution to attack the application. The only way is to only allow inbound traffics from CloudFront distribution.

To achieve this restriction, for every inbound request, the CloudFront distribution will insert a custom header X_Request_From_CloudFront with a hash value when the request passing through, and next forward to the load balancer. And the load balancer will have another associated WAF web ACL, to validate if the X_Request_From_CloudFront custom header exists and matching the hash value. The web ACL will reject the request if the custom header not exists or the value does not match.

In order to hide the custom header X_Request_From_CloudFront, and its hash value from the client-side and server-side, the 'Drop invalid header fields' is required to enable in the load balancer.

According to the document, Load balancer attributes

Indicates whether HTTP headers with header fields that are not valid are removed by the load balancer (true), or routed to targets (false). The default is false. Elastic Load Balancing requires that message header names contain only alphanumeric characters and hyphens.

Since the custom header X_Request_From_CloudFront contains underscores, the load balancer will consider it as an invalid header and remove the custom header and its value when the request passing through, which means it only exists in the request between the CloudFront distribution and the load balancer.

Reference

Adding Custom Headers to Origin Requests
Load balancer attributes

Top comments (2)

Collapse
 
jonnyshaw89 profile image
Jon Shaw

Hey Mike,

Have you actually implemented this?

We have tried this and it doesn't work. The ALB dropping the header happens before the WAF rule eveluation.

This results in all traffic being blocked.

Some comments may only be visible to logged-in visitors. Sign in to view all comments.