Table of Contents
- 1. Introduction
- 2. How to create CloudFront distribution and web ACL with ALB
- 3. Created resources
- 4. Conclusion
1. Introduction
You can now create CloudFront distribution and web ACL when creating ALB as of November 15th, 2024.
A feature to create a web ACL with ALB has been released in the past, and now CloudFront distribution can be created at the same time.
AWS Application Load Balancer announces CloudFront integration with built-in WAF
2. How to create CloudFront distribution and web ACL with ALB
When you open a page to create an ALB, the [Amazon CloudFront + AWS Web Application Firewall (WAF)] section appears below [Optimize with service integrations]. Check the [Apply application layer acceleration and security protections - in front of the load balancer] checkbox to create a new CloudFront distribution and web ACL.
When you check the [Apply application layer acceleration and security protections - in front of the load balancer] checkbox, another checkbox with the label [Add a security group to your load balancer to ensure your HTTP listener allows inbound traffic originating from CloudFront.] appears. This option is to create a security group with an inbound rule for the ALB that only accepts access from CloudFront distribution. If you are using CloudFront as the entry point with ALB, it is a best practice to only allow access from CloudFront to ALB, as stated on the AWS page.
The security group is only created if you check the [Apply application layer acceleration and security protections - in front of the load balancer] checkbox. If you do not need the inbound rule or plan to include the same rule in your security group, you do not have to check the box.
In the previous feature to create or attach web ACL to the new ALB, you were able to attach an existing web ACL. However, you cannot attach an existing web ACL in this feature because this feature creates a new CloudFront distribution and attach a web ACL to that CloudFront distribution.
3. Created resources
While creating resources is made easy, it is a bit complicated to figure out where and which resources have been created by this feature. In this section, we will take a look at the overview of ALB, CloudFront distribution, web ACL and security group.
After creating an ALB, you can see information about the CloudFront distribution and security group under the [Amazon CloudFront + AWS Web Application Firewall (WAF)] section in the Integrations tab.
When you click on the link with a text that starts with “sg,” you can view the security group created by the feature. There is an inbound rule to only allow access to ALB from CloudFront’s prefix list. AWS manages this prefix list and contains CloudFront’s IP addresses.
*You can also see the associated security groups from the Security tab.
If you click on the security dashboard link, CloudFront’s security dashboard page opens. You can see what kind of protection has been enabled, configure CloudFront geographic restriction, and edit AWS WAF’s logging settings from this page.
Please note that a link to open the web ACL is not provided.
If you enable logging from CloudFront’s security dashboard, CloudWatch Logs is automatically selected as the output method. If you want to output WAF logs in S3 buckets or use Data Firehose, you must enable the logging settings from the web ACL’s logging menu.
Some fields are redacted by default as well.
As stated above, it seems like a link to the web ACL is not provided. To check the web ACL, open the AWS WAF page, change the region to [CloudFront (Global)], and find a web ACL with a name that starts with [CreatedByALB-].
*The name ends with unique alphanumeric characters.
If you have multiple web ACLs with similar names, open one of them and see the [Associated AWS resources] to check which CloudFront distribution is associated with it.
4. Conclusion
Following the previous release of a feature to create a web ACL in one click, another feature to create CloudFront distribution and web ACL in one click has been released.
If you plan to use CloudFront distribution and ALB together, the feature allows you to create both simultaneously. CloudFront is a CDN service that speeds up content distribution. In addition, CloudFront could benefit you by reducing the load on the origin and improving security through filtering processes. Considerations should be made on costs and other benefits, but it might be a good opportunity to consider it since there are many benefits.
However, aspects like managing created resources could be challenging. Some resources are automatically named, so if resource management, including the naming rules, is important, you may want to create each resource manually.
