Shall I put aws cloudfront in front of ELB?

Question

I've attached my architecture as shown as above. For HA, I've put ELB in front of my three API ECS instances. For security purpose (as geo restriction and so on), I want to add Cloudfront in front of ELB but I don't want caching that could be set TTL to 0. Please suggest me. Many thanks.

Answer 1

I would add WAF or Cloudfront if ELB is internet-facing. Please refer to DDoS whitepaper from AWS which lists best practices.

Cloudfront can be leveraged to protect against all known infrasture layer attacks.