AWS recently announced the availability of the AWS managed prefix list for CloudFront. Customers can now limit inbound HTTP/HTTPS traffic to a VPC and an application from only IP addresses that belong to CloudFront’s origin-facing servers.
The new managed prefix list can be referenced in VPC security group rules, subnet route tables or common security group rules using AWS Firewall Manager. The cloud provider keeps the list up-to-date with the IP addresses of CloudFront’s origin-facing servers. Kaustubh Phatak, senior solution architect at AWS, highlights the main benefit:
This feature will simplify your security group management - no more workarounds to update the security groups when cloudfront IPs change. You can use Firewall manager to centrally configure your managed prefix list across all your AWS accounts.
A prefix list is a collection of one or more CIDR blocks to make it easier to configure and maintain security groups and route tables. There are customer-managed prefix lists and AWS-managed prefix lists, sets of IP address ranges for AWS services managed by the cloud provider. Maksim Aniskov, infrastructure architect at Endeva, comments:
A long-awaited feature, really: simplify app protection by leveraging VPC's AWS-managed prefixes for CloudFront. Before this feature it required more moving parts.
Jon Zobrist, systems development manager at AWS, highlights the benefits for an application load balancer:
Now you can reference the managed prefix list for CloudFront in your Security Groups on your ELB. No more insert header and WAF/ALB rule it!
As for other AWS managed lists, customers cannot create, modify or share the CloudFront prefix list and the addition significantly affects VPC quotas: the managed list counts as 55 rules in a security group and in a route table, allowing by default only five additional rules in a security group and requiring a quota increase in a route table.
In a Reddit thread, user jamsan920 writes:
No more Lambda functions to maintain a security group with the list of Cloudfront Origin IPs, hooray!
Relying on a Lambda function was an alternative approach that was suggested and updated multiple times by AWS in the past. Other users think that the scope of the new feature is too narrow and all AWS services that expose IP addresses should offer prefix lists. User Nick4753 warns:
Even if you restrict traffic to CloudFront IP ranges, there is no enforcement that anyone account’s CloudFront distributions can only talk to anyone account’s origins.
The CloudFront managed prefix list is available in all regions except Jakarta and Osaka in Asia Pacific. The list can be referenced in CloudFormation templates and there are no additional costs for using it.