An internet-facing Application Load Balancer is vulnerable to cyberattacks, especially when used with a CloudFront distribution. To secure the application from attackers, you can customize your CloudFront distribution and the Application Load Balancer to only allow requests with a custom header. This methodology helps secure the Application Load Balancer from attacker requests.
In this Cloud Lab, you’ll launch an EC2 instance hosting a static web page. Next, you’ll create a target group with the EC2 instance and an Application Load Balancer to route traffic to our EC2 instance. You’ll create a CloudFront distribution with Application Load Balancer as the origin. Then, you’ll simulate a denial-of-service (DoS) attack aimed at the Application Load Balancer. Moving on, you’ll modify the origin in the CloudFront distribution to add a custom header to the requests directed toward the Application Load Balancer. You’ll also add a custom rule to only forward the traffic with a custom header to the target group and return a 403 access denied error to the rest of the traffic. Finally, you’ll test the application to ensure that the traffic without a header is denied access.
By the end of this Cloud Lab, you’ll be well-equipped to secure your Application Load Balancer using custom headers. In addition, you’ll learn to use CloudFront with Application Load Balancer as the origin.
The following is the high-level architecture diagram of the final infrastructure that you will build in this Cloud Lab:
