🌏 閱讀中文版本
In enterprise applications and API protection, AWS CloudFront provides high-performance content delivery. But how do you ensure only authorized IPs can access your resources? This guide explains how to configure a CloudFront IP whitelist using AWS WAF to enhance security and prevent unauthorized access.
Why Do You Need a CloudFront IP Whitelist?
Common Use Cases:
- Internal Enterprise APIs: Allow only company fixed IPs to access internal system APIs
- Partner Integration: Restrict API calls to specific partner IP addresses
- Test Environment Protection: Prevent test environments from external scanning or attacks
- DDoS Risk Mitigation: Limit source IP ranges to reduce distributed attack surface
Technical Considerations:
- CloudFront itself doesn’t have built-in IP whitelist functionality; you must use AWS WAF
- WAF rules execute at CloudFront edge locations without affecting cache performance
- Suitable for applications requiring an additional security layer, but adds management overhead
Step 1: Query CloudFront Source IPs
Method 1: Using nslookup to Resolve Domain
First, query the IP addresses resolved by CloudFront:
nslookup example.comMethod 2: Using dig to Resolve Domain
dig +short example.comSample Output:
example.com canonical name = dxxxxxxxxxx.cloudfront.net.
Name: dxxxxxxxxxx.cloudfront.net
Address: 13.35.185.65
Address: 13.35.185.104
Address: 13.35.185.53
Address: 13.35.185.46This indicates CloudFront uses dxxxxxxxxxx.cloudfront.net as a CNAME, mapping to Amazon CloudFront IP addresses.
Important Notes:
- CloudFront IPs change dynamically; don’t whitelist these IPs directly
- Configure whitelist based on client source IPs (IPs accessing CloudFront), not CloudFront’s IPs
- To restrict communication between CloudFront and Origin, use CloudFront custom headers or Origin Access Identity (OAI)
Step 2: Configure AWS WAF to Restrict IP Access to CloudFront
AWS WAF controls which IPs can access CloudFront through Web ACL.
Create AWS WAF Web ACL
- Open AWS WAF Console → AWS WAF
- Create Web ACL
- Click 「Create web ACL」
- Select Resource Type → Choose CloudFront (CloudFront is a global resource, so WAF must be deployed in Global (CloudFront) region)
- Enter Web ACL Name (e.g.,
CloudFront-IP-Whitelist) - Click Next
Create IP Whitelist Rule
- Add Rule
- Click 「Add rules」 → 「Add my own rules and rule groups」
- Enter Rule Name (e.g.,
AllowOnlyMyIP) - Rule Type: Select IP set
- Set Action to Allow
- Select「Create an IP set」
- Create IP Set
- Click 「Create IP set」
- Enter IP Set Name (e.g.,
MyIPWhitelist) - Select Region as「Global (CloudFront)」
- Enter Allowed IPs or IP Ranges
- Single IP:
203.0.113.5/32 - IP Range (e.g., company internal IPs):
203.0.113.0/24
- Single IP:
- Click「Create」and Save
- Configure Default Action
- Return to Web ACL configuration page
- Set Default action to Block (block all IPs not in whitelist)
Rule Logic Explanation:
- Web ACL first checks if IP is in whitelist (Allow rule)
- If IP is in whitelist, allow through
- If IP is not in whitelist, apply default action (Block)
Bind WAF Web ACL to CloudFront
- Return to Web ACL Main Page → Click 「Add AWS resources」
- Select CloudFront Distribution
- Apply Web ACL to CloudFront
- Save Configuration
Propagation Time: Typically takes 3-5 minutes for WAF rules to take effect across all edge locations.
Step 3: Verify AWS WAF Is Working
Method 1: Test Using curl
Test with Whitelisted IP
curl -I -X GET https://example.com/Expected Response
HTTP/2 200 OKThis indicates the request succeeded and the IP is in the whitelist.
Test with Non-Whitelisted IP
curl -I -X GET --interface eth1 https://example.com/Expected Response
HTTP/2 403 ForbiddenThis indicates WAF successfully blocked unauthorized access.
Method 2: Check AWS WAF Logs
- Open AWS WAF Console
- Select Web ACL → Logging and metrics
- Enable CloudWatch Logging
- Use CloudWatch to check「blocked requests」, ensuring non-whitelisted IPs are blocked by WAF
Log Contents Include:
- Request source IP
- Request timestamp
- Matched rule
- Action taken (Allow / Block)
AWS WAF Cost Estimation
AWS WAF Pricing Structure:
- Web ACL (Web Access Control List): $5.00 per Web ACL per month
- Rules: $1.00 per rule per month
- Requests: $0.60 per million requests
Cost Estimation Example:
Assuming you use one Web ACL with one IP whitelist rule, processing 10 million requests per month, the cost would be:
- Web ACL: $5.00/month
- Rule: $1.00/month
- Requests: $0.60 × 10 = $6.00/month
Total: Approximately $12.00/month
Note: Pricing may change according to AWS pricing policies. Please refer to official pricing for the latest estimates.
Common Issues and Solutions
Issue 1: Whitelisted IP Still Blocked
Possible Causes:
- Incorrect IP format in IP Set (not using CIDR format like
/32) - WAF rule priority misconfigured (Block rule has higher priority than Allow)
- WAF changes not yet propagated to all edge locations (wait 3-5 minutes)
Solutions:
- Verify IP Set format: single IP uses
x.x.x.x/32, IP range usesx.x.x.0/24 - Check rule order: Allow rules should be before Block rules
- Wait 5 minutes and retest
Issue 2: WAF Logs Not Showing Block Records
Possible Causes:
- WAF logging not enabled
- CloudWatch Logs permission issues
Solutions:
- Enable「Logging」in Web ACL settings
- Verify CloudWatch Logs resource policy allows WAF to write logs
Issue 3: How to Configure Whitelist for Dynamic IP Environments?
Solutions:
- Use AWS Lambda to periodically update IP Set (automatic updates via API)
- Consider using VPN with fixed IP
- Use alternative authentication methods (like API Key, JWT Token)
Conclusion
Through this guide, you have completed:
- Queried CloudFront source IPs and understood the difference between CloudFront and client IPs
- Configured AWS WAF to restrict IP access to CloudFront using Web ACL + IP Set for security
- Verified WAF rules are working, ensuring non-whitelisted IPs receive 403 Forbidden
- Understood AWS WAF cost structure to predict usage costs
- Learned common issues and solutions to avoid configuration errors
Security Reminders:
- Regularly review and update whitelist IPs, removing unused IPs
- Combine with other security measures (like SSL/TLS, API authentication) to build multi-layered protection
- Monitor WAF logs to detect abnormal access attempts promptly