How to setup AWS WAF rule with ALB DNS added to the Cloudflare DNS CNAME Record


I am trying to setup for blocking whole world to access by website and allow only specific IPs using AWS WAF rule (IP sets).
In Cloudflare DNS, I have added AWS ALB DNS names with Proxied enabled.

Can anybody did a similar setup for this kind of use case, using Cloudflare DNS to allow only specific IP blocking all other using AWS WAF rule.

Note: If I am making CNAME Proxy status as DNS only, than my site going as unsecure. Here we are using Cloudflare SSL/TLS origin certificate and added as AWS ALB listeners rule.

Welcome if you have any other way.

Thanks you!

Do you have any reason not to use Cloudflare WAF but to use AWS WAF to achieve your objective?

Since the traffic has been proxied, your AWS WAF will see incoming traffic from Cloudflare IP address instead of the end-user IP address. If you have any reason must use AWS WAF to allow IPs, then you can configure AWS WAF to reference the original IP address from request header such as X-Forwarded-For.

Hi @erictung , Thanks for your response. I am not getting, how to configure to allow only specific IPs to access our storefront app over WIFI and simultaneously blocking access any where in the world. I don’t want to block with country name, or ASN. As per your suggestion, Alternatively I am exploring other way to use X-Forwarded-For (XFF) header using AWS WAF. I may need to send some time time with this to configure to full fill our requirement.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.