Whitelist EC2 instances in ASG to access AWS WAF

429 Views Asked by At

I have a CloudFront Distribution with WAF(Web Application Firewall) attached to it, to restrict public access. I also have a fleet of EC2 instances running under an ASG(autoScaling Group) and I wish to whitelist the EC2 instances to access the CloudFront distribution. Is it possible to create such a configuration in my infrastructure?

Please note that the IP addresses of the EC2 instances are not fixed. They are controlled by the ASG attached. Also, the ASG is created in a public subnet. Any help would be appreciated. Thanks

1

There are 1 best solutions below

1
On

You would have to trigger some sort of script every time the ASG adds an instance, to add the instance's public IP to the WAF.

I would suggest moving the EC2 instances to private subnets with routes to NAT gateways, then you would only have to whitelist the Elastic-IPs of the NAT Gateway(s).