SkarpSkarp

Chapter 7 of 26

Securing Workloads and Applications: ELB, CloudFront, and Edge Security

See how traffic flows from the internet to your workloads through Elastic Load Balancing and CloudFront, and how to enforce security controls at every hop.

27 min readen

Big Picture: Internet Entry Points on AWS

From User to Workload

Typical path: internet user → Route 53 DNS → CloudFront → Elastic Load Balancer → targets in private subnets. Each hop is a chance to enforce security.

Well-Architected Security

We use the security pillar of the AWS Well-Architected Framework to guide decisions: protect data, systems, and assets, and improve security posture.

Shared Responsibility

AWS secures infrastructure and edge locations; you configure listeners, TLS, security groups, WAF, and routing. Misconfigurations are on the customer side.

Exam Mindset

Expect scenario questions: pick where to terminate TLS, where to put WAF, and how to keep instances private while still serving global traffic.

Elastic Load Balancing Types and Security Basics

ALB Highlights

ALB is Layer 7: HTTP/HTTPS, host/path routing, WAF integration, security groups, and TLS termination with ACM. Use it for web apps and APIs.

NLB Highlights

NLB is Layer 4: TCP/UDP/TLS, very high throughput, static IPs. No security group on the NLB itself; protect targets with security groups.

GWLB Role

Gateway Load Balancer inserts virtual appliances (e.g., firewalls) transparently into traffic flows using GENEVE tunnels.

Placement Pattern

Typical secure pattern: internet-facing ALB/NLB in public subnets, EC2 or ECS tasks in private subnets, no public IPs on workloads.

Designing a Secure ALB in Front of EC2

Goal and Layout

Goal: public HTTPS site, EC2 in private subnets. Use public subnets for an internet-facing ALB and private subnets for EC2 across at least two AZs.

ALB Listeners

Configure ALB listeners on 80 and 443. HTTP listener redirects to HTTPS; HTTPS listener uses an ACM certificate and a modern TLS security policy.

Security Groups

ALB SG: allow 80/443 from anywhere. EC2 SG: allow HTTP only from the ALB SG ID. Instances have no public IPs, blocking direct internet access.

Traffic Flow Result

Client → HTTPS to ALB → HTTP to EC2 in private subnets. Encryption is enforced over the internet; internal hop is protected by VPC isolation.

TLS Termination, Re-encryption, and HTTPS Everywhere

Edge Termination

TLS ends at the ALB; ALB sends HTTP to targets. Simple and common, but internal hop is unencrypted. Often acceptable inside a trusted VPC.

End-to-End Encryption

ALB terminates TLS and then re-encrypts to targets with HTTPS. This gives full in-transit encryption but adds certificate and CPU overhead.

CloudFront as TLS Endpoint

CloudFront terminates TLS at the edge and can talk HTTPS or HTTP to origins. For strong security, use HTTPS to origin and restrict direct origin access.

Exam Language

Phrases like "HTTPS everywhere" or "end-to-end" signal you should keep TLS from client → CloudFront → ALB → targets.

Amazon CloudFront and Edge Security Controls

CloudFront as Security Layer

CloudFront is not just caching; it adds DDoS protection, TLS termination, and origin shielding by sitting in front of your origins.

Origin Protection

Use Origin Access Control for S3 so only CloudFront can read the bucket. For ALB or APIs, restrict origins via security groups or custom headers.

WAF at the Edge

Attach AWS WAF to CloudFront to block malicious requests globally before they hit any AWS region or your VPC.

Key Exam Pattern

For "secure S3 content, no direct public access": CloudFront + OAC, S3 Block Public Access enabled, and bucket policy allowing only CloudFront.

CloudFront + S3 vs CloudFront + ALB: Two Secure Patterns

Static: CloudFront + S3

S3 hosts static files; public access is blocked. CloudFront uses Origin Access Control and bucket policy to be the only reader, serving HTTPS globally.

Dynamic: CloudFront + ALB

CloudFront uses ALB as a custom origin. Enforce HTTPS to the ALB and restrict ALB access so only CloudFront (e.g., via header or WAF) can reach it.

Route 53 Integration

Use Route 53 alias records to map friendly names like www.example.com to the CloudFront distribution or ALB DNS names.

Choosing a Pattern

Static-only? S3 origin. Dynamic logic? ALB origin. Often you combine both: CloudFront → S3 for assets and CloudFront → ALB for APIs.

Web Application Protection: WAF, Shield, and Common Patterns

Shield and WAF Roles

Shield Standard gives automatic DDoS protection. AWS WAF lets you define rules to block or allow HTTP(S) requests at Layer 7.

Where to Attach WAF

Attach WAF to CloudFront for global edge protection, to ALB for regional apps, or to API Gateway/AppSync for API traffic.

Rule Patterns

Use managed rule groups, rate-based limits, and geo-match rules. Log WAF traffic for analysis and tuning over time.

Exam Gotcha: NLB

NLB is Layer 4 only; you cannot attach WAF directly. Use CloudFront+WAF or ALB+WAF in front if you need application-layer filtering.

Thought Exercise: Choosing TLS Termination Points

Work through this scenario mentally.

A healthcare startup is building a patient portal on AWS. Requirements:

  • All traffic must be encrypted in transit, even inside the VPC.
  • The app serves global users and must offload as much TLS work as possible from EC2 instances.
  • They want to block common web attacks before they hit the VPC.

They plan to use: Route 53, CloudFront, ALB, EC2 in private subnets.

Questions for you (pause and answer before reading hints):

  1. Where should TLS be terminated and re-established along the path client → CloudFront → ALB → EC2?
  2. Where should AWS WAF be attached for maximum protection and global coverage?
  3. Should the ALB allow HTTP or HTTPS from CloudFront? Why?

Hints to self-check:

  • Requirement "encrypted even inside the VPC" suggests HTTPS between ALB and EC2.
  • "Global users" and "block attacks before they hit the VPC" suggest CloudFront + WAF at the edge.
  • You can still offload most TLS from EC2 by terminating at ALB, then re-encrypting to EC2 with lighter certificates.

After you decide, sketch the full flow and label where certificates live and which security groups or origin restrictions you would configure.

Quiz 1: ELB and Edge Security Basics

Check your understanding of ELB types and basic edge patterns.

You are designing a public web application that needs host-based routing, AWS WAF integration, and TLS termination using ACM certificates. Which combination best meets these needs with minimal complexity?

  1. Network Load Balancer with AWS WAF attached and ACM certificate on each EC2 instance
  2. Application Load Balancer with AWS WAF attached and ACM certificate on the ALB
  3. Gateway Load Balancer with custom firewall appliances handling TLS and WAF
  4. CloudFront directly in front of EC2 instances using instance self-signed certificates
Show Answer

Answer: B) Application Load Balancer with AWS WAF attached and ACM certificate on the ALB

Host-based routing and WAF integration point to an Application Load Balancer. ALB supports Layer 7 routing, integrates with AWS WAF, and can terminate TLS using an ACM certificate. NLB cannot attach WAF or do host-based routing; GWLB is for network appliances; CloudFront alone does not replace the need for an ALB in front of EC2 for routing and health checks.

Quiz 2: CloudFront and Origin Protection

Test your understanding of CloudFront origin security.

A company wants to serve static content from S3 to global users. They must ensure the S3 bucket is not publicly accessible directly, but content is still available via HTTPS. Which approach best satisfies this requirement?

  1. Make the S3 bucket public and use CloudFront with an S3 origin to cache content
  2. Use CloudFront with S3 origin, enable Origin Access Control (or OAI historically), block public access on the bucket, and allow only the distribution in the bucket policy
  3. Expose the S3 bucket through an internet-facing NLB and put CloudFront in front of the NLB
  4. Attach AWS WAF directly to the S3 bucket and allow only CloudFront IP ranges
Show Answer

Answer: B) Use CloudFront with S3 origin, enable Origin Access Control (or OAI historically), block public access on the bucket, and allow only the distribution in the bucket policy

The recommended pattern is to use CloudFront with an S3 origin, enable Origin Access Control (or OAI in older patterns), block public access at the bucket, and configure a bucket policy allowing only the CloudFront distribution. Making the bucket public violates the requirement; NLB is unnecessary; WAF cannot attach directly to S3.

Key Term Review: ELB, CloudFront, and Edge Security

Flip through these flashcards to reinforce key concepts.

Application Load Balancer (ALB)
A Layer 7 load balancer that supports HTTP/HTTPS, host and path-based routing, WebSocket, security groups, AWS WAF integration, and TLS termination with ACM certificates. Ideal for web apps and APIs.
Network Load Balancer (NLB)
A Layer 4 load balancer for TCP/UDP/TLS with very high performance and static IPs. Does not support WAF directly and does not use a security group; you secure the targets instead.
Origin Access Control (OAC)
A mechanism for CloudFront to securely access S3 buckets so that the bucket can block public access and only trust requests coming from the CloudFront distribution.
AWS WAF
A web application firewall that lets you monitor and control HTTP(S) requests based on rules, protecting against common web exploits like SQL injection and cross-site scripting.
AWS Shield Standard
Automatic, always-on DDoS protection for AWS services such as CloudFront, Route 53, and Elastic Load Balancing, included at no extra cost.
End-to-end TLS
A pattern where traffic is encrypted with TLS from the client through intermediate components (CloudFront, ALB) all the way to the backend targets, ensuring encryption in transit at every hop.
Custom origin (CloudFront)
Any HTTP(S) endpoint used as a CloudFront origin, such as an Application Load Balancer, EC2 instance, or on-premises server.
Internet-facing vs internal load balancer
Internet-facing load balancers have public IPs and can receive traffic from the internet. Internal load balancers have only private IPs and are reachable only within a VPC or via private connectivity.

Putting It Together: Secure Internet-Facing Architecture

Core Components

Route 53, CloudFront, S3 with OAC, ALB, and EC2 in private subnets form a standard secure internet-facing architecture.

End-to-End Flow

Client → Route 53 → CloudFront (TLS, WAF) → S3 or ALB over HTTPS → EC2 in private subnets. Direct S3 or EC2 public access is blocked.

Layered Defenses

Shield and Route 53 handle DDoS and DNS. CloudFront+WAF stop many attacks at the edge. VPC and security groups protect internal workloads.

Next Steps in Your Path

In upcoming mock exams and spaced review, look for patterns where adding CloudFront, ALB, or WAF improves both security and performance.

Key Terms

AWS WAF
A web application firewall that lets you monitor and control HTTP(S) requests based on customizable rules and managed rule groups, protecting against common web exploits.
Custom origin
In CloudFront, any HTTP(S) endpoint such as an Application Load Balancer, EC2 instance, or on-premises server used as the source of content.
TLS termination
The point in a network path where encrypted TLS traffic is decrypted so that it can be inspected, routed, or processed in plaintext before possibly being re-encrypted.
Amazon CloudFront
A global content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to users with low latency, integrating with AWS Shield and AWS WAF.
AWS Shield Standard
An automatic DDoS protection service for AWS resources like CloudFront, Route 53, and Elastic Load Balancing, provided at no additional cost.
End-to-end encryption
A design where data remains encrypted between the original sender and the final recipient, with no intermediate hops seeing unencrypted data.
Network Load Balancer (NLB)
A Layer 4 Elastic Load Balancer designed for high performance and static IP addresses, handling TCP, UDP, and TLS traffic without direct WAF integration.
Origin Access Control (OAC)
CloudFront feature that lets you securely restrict S3 bucket access so that only a specific CloudFront distribution can read objects, replacing older Origin Access Identity patterns.
Gateway Load Balancer (GWLB)
An Elastic Load Balancer type that makes it easy to deploy, scale, and manage third-party or custom virtual appliances such as firewalls using GENEVE tunnels.
Application Load Balancer (ALB)
A Layer 7 Elastic Load Balancer that supports HTTP/HTTPS and WebSocket, host and path-based routing, AWS WAF integration, security groups, and TLS termination with ACM certificates.

Finished reading?

Test your understanding with a custom practice exam on this chapter.

Test yourself