I have a CloudFront Distribution
with WAF
(Web Application Firewall) attached to it, to restrict public access.
I also have a fleet of EC2 instances running under an ASG
(autoScaling Group) and I wish to whitelist the EC2 instances to access the CloudFront distribution. Is it possible to create such a configuration in my infrastructure?
Please note that the IP addresses of the EC2 instances are not fixed. They are controlled by the ASG attached. Also, the ASG is created in a public subnet. Any help would be appreciated. Thanks
You would have to trigger some sort of script every time the ASG adds an instance, to add the instance's public IP to the WAF.
I would suggest moving the EC2 instances to private subnets with routes to NAT gateways, then you would only have to whitelist the Elastic-IPs of the NAT Gateway(s).