How to enhance CloudFront origin security of on-premise web servers using third-party firewalls
This post provides a solution to enhance the Amazon CloudFront origin security of on-premises web servers by automating the AWS IP prefix update process for some network firewalls.
CloudFront is a content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency and high transfer speeds—all within a developer-friendly environment. CloudFront peers with thousands of Tier 1/2/3 telecom carriers globally, is well-connected with all major access networks for optimal performance, and has hundreds of terabytes of deployed capacity. CloudFront servers reside at the AWS edge and provide a scalable, reliable, and high-performance security perimeter for applications and content. CloudFront acts as a security “front door”. This means that it only accepts well-formed connections, which prevents many common DDoS attacks, such as SYN floods and UDP reflection attacks from reaching your origin.
For comprehensive protection against network, transport, and application layer DDoS attacks, customers can subscribe to AWS Shield Advanced. Shield Advanced provides additional detection and mitigation against large and sophisticated DDoS attacks, near real-time visibility into attacks, and integration with AWS Web Application Firewall (AWS WAF). Customers with Business or Enterprise support can also engage the Shield Response Team (SRT) 24×7 to manage and mitigate their application layer DDoS attack. With Automatic Application Layer DDoS mitigation, Shield Advanced can automatically mitigate application layer attacks by creating, evaluating, and deploying custom AWS WAF rules.
CloudFront supports custom origins that includes websites not hosted in AWS. This allows customers to extend AWS WAF and Shield Advanced protection capabilities to their data centers. To make sure of a DDoS resilient architecture, customers should limit origin access to CloudFront only as an attack surface reduction measure. For AWS origins, this can be achieved by using a managed prefix list for CloudFront in a security group. For non-AWS origins, such as an on-premises web server, the perimeter network firewall can be configured to limit inbound access from CloudFront IP addresses only.
Getting and keeping CloudFront origin facing IP prefixes up-to-date
AWS publishes its current IP address ranges in JSON format. The list of CloudFront IP prefixes can be extracted by downloading ip-ranges.json and selecting entries where the service code is
CLOUDFRONT_ORIGIN_FACING. You can retrieve the IP prefixes and sort them using the below command and shown in the following screenshot
curl -s https://ip-ranges.amazonaws.com/ip-ranges.json | jq -r '.prefixes | select (.service=="CLOUDFRONT_ORIGIN_FACING") | .ip_prefix' | sort -V
(Get-AWSPublicIpAddressRange -ServiceKey CLOUDFRONT_ORIGIN_FACING).IpPrefix
Then, the prefixes can be imported into the firewall policy object for internet ingress filtering. CloudFront IP prefixes must be updated whenever there are changes, and the update process must be done frequently and can be very time consuming. The following solution automates the process for some firewalls.
By subscribing to specific web feeds and downloading updates on a regular basis, the list of CloudFront IP prefixes in firewalls is kept up-to-date.
AWS CloudFormation template
To begin, download the AWS CloudFormation template for this solution and provision it in your AWS account. You can use the default parameter settings as shown in following screenshot.
As the solution provisions an API Gateway that is accessible on the internet, you can secure it by replacing [Allowed Networks] value of 0.0.0.0/0 with the IP prefix of your on-premises datacenter.
After the stack is provisioned, go to the Outputs section of the AWS CloudFormation console to copy the
apiGatewayInvokeURL value as shown in the following screenshot.
Navigating to the URL will produce the required list of IP prefixes as shown in following screenshot.
The following sections show how we can configure different firewalls to download the CloudFront IP prefixes web feed.
Fortinet firewall: threat feeds
We can use the Fortinet firewall‘s threat feeds feature to import IP prefixes. From the FortiGate web console, navigate to Security Fabric, External Connectors, select Create New, and select IP Address as shown in following screenshot.
Enter the API gateway URL in URI of external resource, disable HTTP basic authentication, adjust other settings as needed, and select OK to save.
After you have refreshed the object, verify that IP prefix entries are populated as shown in following screenshot.
Palo Alto Firewall: External Dynamic List
We can use the External Dynamic List (EDL) feature of Palo Alto firewall. From the PAN-OS web console, go to Objects, External Dynamic List (EDL), and select Add. For Type, select IP List and enter the API gateway URL in the Source field as shown in the following screenshot.
Adjust other settings as needed and select OK. After PAN-OS has downloaded the feed, verify the IP prefixes entries as shown in following screenshot.
pfSense Firewall: URL Table Alias
pfSense firewall supports URL Table Aliases. From the pfSense web console, navigate to Firewall, Alias and select Add. Under Type, select URL Table (IPs). For URL Table (IPs) field, enter your API gateway URL and change the update frequency to 1 day as shown in following screenshot.
Select Save followed by Apply Changes. Go to Diagnostics, Tables to refresh, and view IP entries in your created Alias as shown in following screenshot.
Once you’ve imported the IP prefixes, configure a firewall policy to restrict internet inbound access to your origin by referencing CloudFront IP prefixes as the source.
The following screenshot is an example firewall policy for a Palo Alto firewall that allows CloudFront IP prefixes ingress access to the HTTP and HTTPS ports of an on-premises web server.
The exact configuration will depend on your on-premises setup and security policies.
Other solution features
Besides CloudFront, this solution can return other IP prefixes by Region, network border group, or supported AWS service. For example, you may want to associate Route 53 Health Checks with an on-premises server for DNS failover. Amazon Route 53 health checks reviews IP address ranges that must be added to the firewall’s allow-list, and the corresponding IP prefixes are retrieved from API Gateway with the URL of
/SERVICE/ROUTE53_HEALTHCHECKS/ipv4.txt as shown in following screenshot.
You can refer to aws-ipranges-api GitHub site for more information.
Shield Advanced with CloudFront and AWS WAF provides comprehensive DDoS protection and can be used to protect websites hosted outside of AWS. The serverless solution provided in this post lets you secure your on-premises CloudFront origins using network firewalls and makes sure that IP prefixes are up-to-date.