[AWS] Control ALB to only allow access from CloudFront

 

If we want ALB only accpet traffic from CloudFront, NOT from public www. Then we can add a customer head in CloudFront. In ALB, we set conditional rule to check custom header, if there is no customer header, reject the request.

 

CloudFront: set a custom header:

 

ALB: set listener rule:

If the customer header matches, then forward the request to Target group

If not match, then return 503 response

--

You are not able to put ALB into private subnet, it has to be in Public subnet because CloudFront cannot access private subnet.