I have an ELB which balances some EC2 instances. The ELB exposes the endpoints of the entire system.
Now I am creating a CloudFront distribution over this ELB. Is there a way to allow users to connect ONLY using CloudFront endpoint and refuse direct connections to ELB?
Thanks
With the recent updates, there is a simpler way to achieve this now with Prefix lists. In your security group configuration, you can add cloudformation prefix lists and never worry about keeping up the dynamic IP changes etc.
"The CloudFront managed prefix list contains the IP address ranges of all of CloudFront's globally distributed origin-facing servers. If your origin is hosted on AWS and protected by an Amazon VPC security group, you can use the CloudFront managed prefix list to allow inbound traffic to your origin only from CloudFront's origin-facing servers, preventing any non-CloudFront traffic from reaching your origin." - From AWS Documentation
Here is an example of how to do this - https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/LocationsOfEdgeServers.html#managed-prefix-list
Here is the announcement of this feature - https://aws.amazon.com/about-aws/whats-new/2022/02/amazon-cloudfront-managed-prefix-list/
and here are the prefix lists - https://us-west-2.console.aws.amazon.com/vpc/home?region=us-west-2#ManagedPrefixLists