AWS Cloudfront for VPC/VPN

amazon-web-services vpn amazon-cloudfront amazon-vpc
20,399

Solution 1

As @daxlerod points out, it is possible to use the relatively new Web Application Firewall service with CloudFront, to restrict access to the content, for example, by IP address ranges.

And, of course, there's no requirement that the web site actually be hosted inside AWS in order to use CloudFront in front of it.

However, "will it work?" and "are all the implications of the required configuration acceptable from a security perspective?" are two different questions.

In order to use CloudFront on a site, the origin server (the web server where CloudFront fetches content that isn't in the cache at the edge node where the content is being requested) has to be accessible from the Internet, in order for CloudFront to connect to it, which means your private site has to be exposed, at some level, to the Internet.

The CloudFront IP address ranges are public information, so you could partially secure access to the origin server with the origin server's firewall, but this only prevents access from anywhere other than through CloudFront -- and that isn't enough, because if I knew the name of your "secured" server, I could create my own CloudFront distribution and access it through CloudFront, since the IP addresses would be in the same range.

The mechanism CloudFront provides for ensuring that requests came from and through an authorized CloudFront distribution is custom origin headers, which allows CloudFront to inject an unknown custom header and secret value into each request it sends to your origin server, to allow your server to authenticate the fact that the request not only came from CloudFront, but from your specific CloudFront distribution. Your origin server would reject requests not accompanied by this header, without explanation, of course.

See http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/forward-custom-headers.html#forward-custom-headers-restrict-access.

And, of course, you need https between the browser and CloudFront and https between CloudFront and the origin server. It is possible to configure CloudFront to use (or require) https on the front side or the back side separately, so you will want to ensure it's configured appropriately for both, if the security considerations addressed above make it a viable solution for your needs.

For information that is not highly sensitive, this seems like a sensible approach if caching or other features of CloudFront would be beneficial to your site.

Solution 2

Yes, you CloudFront is designed as a caching layer in front of a web site.

If you want to restrict access to CloudFront, you can use the Web Application Firewall service.

Solution 3

Put your website into public network > In CloudFront distribution attach WAF rules > In WAF rules whitelist range of your company's IP's and blacklist everything else

Share:
20,399

Related videos on Youtube

Chiran Ravani
Author by

Chiran Ravani

Updated on July 09, 2022

Comments

  • Chiran Ravani
    Chiran Ravani almost 2 years

    Does AWS allow usage of Cloudfront for websites usage, eg:- caching web pages. Website should be accessible within corporate VPN only. Is it a good idea to cache webpages on cloudfront when using Application restricted within one network?

    • Jordan Stewart
      Jordan Stewart almost 7 years
      It is kind of weird that this question has been viewed over 700 times, but as of writing this, no one has upvoted the question, or either of the 2 answers.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How can two AWS VPCs using the same Customer Gateway for a VPN connection
Setting up a VPN connection to Amazon VPC - routing
Can you connect to Amazon VPC VPN from Windows 7 without a hardware VPN on your end?
Static IP for cloudfront
Software VPN connection to Amazon AWS VPC private instance
How to make VPN connections to different networks which have the same CIDR?
Invalidate all files in a folder in cloudfront console
Pre-configured EC2 VPN AMI
How to use IPSec / Openswan with Amazon's Virtual Private Cloud (VPC) and EC2?
AWS RDS Writer Endpoint vs Reader Endpoint