My Setup
I have Elastic Beanstalk application, with a public LoadBalancer and public IPs on EC2.
The application is behind CloudFront, which is protected with AWS WAF from different attacks I am experiencing now.
Route 53 forwards DNS queries to the CloudFront.
My Problem
WAF is only on the CloudFront. There is still Elastic Beanstalk public dns name, elastic load balancer public dns name, and EC2 instance public IP. Attackers are hitting them, and bypassing the WAF.
My Request
I don't need anything other than the CloudFront to be exposed to the internet. How do I remove all public DNS's and IP's from all, or at least some, of these resources, and still have it working. Ideally CloudFront would forward requests over inner Amazon domain.
What I tried
I tried setting ELB to private in BeanStalk Network Configuration tab, but it failed. When setting Public IP address to false, it just stops working with error 502
Best Answer
You need to change your security groups so only CloudFront IPs can contact the server. You can also whitelist your own IP address. They key is to only let selected addresses in.
This AWS sample code will update your security group as CloudFront IP addresses change. I suspect that it will do the initial setup for you once you deploy the function and create the security groups it requires. Because of the number of IP ranges CloudFront has it uses four security groups, which is fine, you can associate them all with a load balancer and / or EC2 instance.
You can download the AWS IP addresses here, filter on CLOUDFRONT for those IPs, if you want to do it manually. Beware the IP address ranges change, which would leave some CloudFront nodes unable to contact your server if you do this manually.
Note that you can't use NACLs as they have too low a limit. Interesting thing though, NACLs run on the instance hardware (maybe the Nitro card now) but if you're under DDOS the NACLs get pushed out to CloudFront to reject the traffic at the edge. I believe security groups also run on the instance hardware or in the nitro card, but managed by AWS of course.