Force the traffic through Cloudflare even on direct AWS link

Hey guys,

I have such situation —

  • There’s a website on AWS which I’m wrapping around with Cloudflare. That works fine and well when you access it through the normal path (meaning typing the websitename.com into the address bar).

The question is:

  • How should I deny the direct access to the AWS instance on the website %websitename%.eu-west-1.elb.amazonaws.com? I can’t revoke that, since AWS is generating this hostname. Or can I?
  • Maybe the redirect should happen of someone would’ve access the direct link?

I’m in a puzzle what would be the right choice.

Maybe someone has an idea?

Thanks a ton!

Specifically, using security groups.

You should ideally have 2 security groups - one on your instance, and one on your load balancer. The instance should be accepting only from the load balancer, and the load balancer only from the published cloudflare ip’s.

Then you should also, if possible, upgrade to using the origin certs provided by cloudflare, add those to your load balancer and turn on ‘full’ or even ‘strict’ ssl mode.

Awesome, that’s a great point.

Thanks!

@jtaylor
you’ve been very helpful in this thread. Maybe you can point to me to the correct source, I need to figure out which IP is the Cloudflare IP that requests will be forwarded to the cloud instance?

In other words, I’m making the Security Groups setup on AWS and I want to restrict only the access from Cloudflare IP. I need that IP value :slight_smile:

Thanks!

EDIT: Nevermind, found them here --> https://www.cloudflare.com/ips/

This topic was automatically closed after 30 days. New replies are no longer allowed.