How to enhance CloudFront origin security of on-premise web servers using third-party firewalls

This post provides a solution to enhance the Amazon CloudFront origin security of on-premises web servers by automating the AWS IP prefix update process for some network firewalls.

CloudFront is a content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency and high transfer speeds—all within a developer-friendly environment. CloudFront peers with thousands of Tier 1/2/3 telecom carriers globally, is well-connected with all major access networks for optimal performance, and has hundreds of terabytes of deployed capacity. CloudFront servers reside at the AWS edge and provide a scalable, reliable, and high-performance security perimeter for applications and content. CloudFront acts as a security “front door”. This means that it only accepts well-formed connections, which prevents many common DDoS attacks, such as SYN floods and UDP reflection attacks from reaching your origin.

For comprehensive protection against network, transport, and application layer DDoS attacks, customers can subscribe to AWS Shield Advanced. Shield Advanced provides additional detection and mitigation against large and sophisticated DDoS attacks, near real-time visibility into attacks, and integration with AWS Web Application Firewall (AWS WAF). Customers with Business or Enterprise support can also engage the Shield Response Team (SRT) 24×7 to manage and mitigate their application layer DDoS attack. With Automatic Application Layer DDoS mitigation, Shield Advanced can automatically mitigate application layer attacks by creating, evaluating, and deploying custom AWS WAF rules.

CloudFront supports custom origins that includes websites not hosted in AWS. This allows customers to extend AWS WAF and Shield Advanced protection capabilities to their data centers. To make sure of a DDoS resilient architecture, customers should limit origin access to CloudFront only as an attack surface reduction measure. For AWS origins, this can be achieved by using a managed prefix list for CloudFront in a security group. For non-AWS origins, such as an on-premises web server, the perimeter network firewall can be configured to limit inbound access from CloudFront IP addresses only.

Getting and keeping CloudFront origin facing IP prefixes up-to-date

AWS publishes its current IP address ranges in JSON format. The list of CloudFront IP prefixes can be extracted by downloading ip-ranges.json and selecting entries where the service code is CLOUDFRONT_ORIGIN_FACING. You can retrieve the IP prefixes and sort them using the below command and shown in the following screenshot

curl -s https://ip-ranges.amazonaws.com/ip-ranges.json | jq -r '.prefixes[] | select (.service=="CLOUDFRONT_ORIGIN_FACING") | .ip_prefix' | sort -V

Figure 1 Retrieve CloudFront IP prefixes using curl, jq and sort

You can also use AWS Tools for Windows PowerShell, which includes a cmdlet, Get-AWSPublicIpAddressRange, to parse the JSON file with below command and shown in the following screenshot

(Get-AWSPublicIpAddressRange -ServiceKey CLOUDFRONT_ORIGIN_FACING).IpPrefix

Figure 2 Retrieve CloudFront IP prefixes using AWS Tools for Windows PowerShell

Then, the prefixes can be imported into the firewall policy object for internet ingress filtering. CloudFront IP prefixes must be updated whenever there are changes, and the update process must be done frequently and can be very time consuming. The following solution automates the process for some firewalls.

Note that if you’re using Check Point firewall, there is native network object support for AWS services via updatable objects.

Solution overview

The solution is a serverless website built on Amazon API Gateway and AWS Lambda that parses ip-ranges.json and then outputs IP prefixes as web feeds as shown in the following architecture diagram.

Figure 3 Solution architecture diagram

By subscribing to specific web feeds and downloading updates on a regular basis, the list of CloudFront IP prefixes in firewalls is kept up-to-date.

AWS CloudFormation template

To begin, download the AWS CloudFormation template for this solution and provision it in your AWS account. You can use the default parameter settings as shown in following screenshot.

Figure 4 CloudFormation parameters

As the solution provisions an API Gateway that is accessible on the internet, you can secure it by replacing [Allowed Networks] value of 0.0.0.0/0 with the IP prefix of your on-premises datacenter.

After the stack is provisioned, go to the Outputs section of the AWS CloudFormation console to copy the apiGatewayInvokeURL value as shown in the following screenshot.

Figure 5 API Gateway URL in CloudFormation Outputs tab

Navigating to the URL will produce the required list of IP prefixes as shown in following screenshot.

Figure 6 IP prefixes from API Gateway

The following sections show how we can configure different firewalls to download the CloudFront IP prefixes web feed.

Fortinet firewall: threat feeds

We can use the Fortinet firewall‘s threat feeds feature to import IP prefixes. From the FortiGate web console, navigate to Security Fabric, External Connectors, select Create New, and select IP Address as shown in following screenshot.

Figure 7 New External Connector in Fortinet firewall

Enter the API gateway URL in URI of external resource, disable HTTP basic authentication, adjust other settings as needed, and select OK to save.

After you have refreshed the object, verify that IP prefix entries are populated as shown in following screenshot.

Figure 8 IP prefixes in Fortinet IP Address Threat Feed

Palo Alto Firewall: External Dynamic List

We can use the External Dynamic List (EDL) feature of Palo Alto firewall. From the PAN-OS web console, go to Objects, External Dynamic List (EDL), and select Add. For Type, select IP List and enter the API gateway URL in the Source field as shown in the following screenshot.

Figure 9 External Dynamic List in PAN-OS

Adjust other settings as needed and select OK. After PAN-OS has downloaded the feed, verify the IP prefixes entries as shown in following screenshot.

Figure 10 IP prefixes in External Dynamic List

pfSense Firewall: URL Table Alias

pfSense firewall supports URL Table Aliases. From the pfSense web console, navigate to Firewall, Alias and select Add. Under Type, select URL Table (IPs). For URL Table (IPs) field, enter your API gateway URL and change the update frequency to 1 day as shown in following screenshot.

Figure 11 URL Table Alias in pfSense

Select Save followed by Apply Changes. Go to Diagnostics, Tables to refresh, and view IP entries in your created Alias as shown in following screenshot.

Figure 12 IP prefixes in URL Table Alias

Firewall policy

Once you’ve imported the IP prefixes, configure a firewall policy to restrict internet inbound access to your origin by referencing CloudFront IP prefixes as the source.

The following screenshot is an example firewall policy for a Palo Alto firewall that allows CloudFront IP prefixes ingress access to the HTTP and HTTPS ports of an on-premises web server.

Figure 13 Example firewall policy

The exact configuration will depend on your on-premises setup and security policies.

Other solution features

Besides CloudFront, this solution can return other IP prefixes by Region, network border group, or supported AWS service. For example, you may want to associate Route 53 Health Checks with an on-premises server for DNS failover. Amazon Route 53 health checks reviews IP address ranges that must be added to the firewall’s allow-list, and the corresponding IP prefixes are retrieved from API Gateway with the URL of /SERVICE/ROUTE53_HEALTHCHECKS/ipv4.txt as shown in following screenshot.

Figure 14 Route 53 health checks IP prefixes

You can refer to aws-ipranges-api GitHub site for more information.

Conclusion

Shield Advanced with CloudFront and AWS WAF provides comprehensive DDoS protection and can be used to protect websites hosted outside of AWS. The serverless solution provided in this post lets you secure your on-premises CloudFront origins using network firewalls and makes sure that IP prefixes are up-to-date.