AWS has just announced the availability of the AWS managed prefix list for CloudFront.
Customers will be able to limit inbound HTTP/HTTPS traffic to a VPC and an application simply from IP addresses that belong to CloudFront’s origin-facing servers, says Renato Losio in a recent article at InfoQ.
The new managed prefix list can be reached in VPC security group rules, subnet route tables or common security group rules using AWS Firewall Manager. The cloud provider keeps the list up-to-date with the IP addresses of CloudFront’s origin-facing servers. The senior solution architect at AWS, Kaustubh Phatak, noted:
“This feature will simplify your security group management – no more workarounds to update the security groups when cloudfront IPs change. You can use Firewall manager to centrally configure your managed prefix list across all your AWS accounts.”
A prefix list is a collection of one or more CIDR blocks that aim to make it easier to configure and maintain security groups and route tables. There are both customer-managed prefix lists and AWS-managed prefix lists, sets of IP address ranges for AWS services managed by the cloud provider. Maksim Aniskov, infrastructure architect at Endeva, added:
“A long-awaited feature, really: simplify app protection by leveraging VPC’s AWS-managed prefixes for CloudFront. Before this feature it required more moving parts.”
The systems development manager at AWS, Jon Zobrist, also commented:
“Now you can reference the managed prefix list for CloudFront in your Security Groups on your ELB. No more insert header and WAF/ALB rule it!”
As for other AWS managed lists, customers cannot create, modify or share the CloudFront prefix list and the addition significantly affects VPC quotas: the managed list counts as 55 rules in a security group and in a route table, allowing by default only five additional rules in a security group and requiring a quota increase in a route table.
In a Reddit thread, user jamsan920 writes:
“No more Lambda functions to maintain a security group with the list of Cloudfront Origin IPs, hooray!”
Relying on a Lambda function was an alternative approach that was suggested and updated multiple times by AWS in the past. Other users think that the scope of the new feature is too narrow and all AWS services that expose IP addresses should offer prefix lists.
The CloudFront managed prefix list is available everywhere except Jakarta and Osaka in Asia Pacific. The list can be referenced in CloudFormation templates without any additional costs.