Restricting AWS ALB Access to Only GoDaddy Frontend/Cloudflare

Greetings,

I’m in the process of developing a security-enhanced architecture for an application that leverages GoDaddy for DNS and web hosting, alongside Cloudflare for SSL certificate provisioning and DNS management. The application’s backend is deployed on an AWS ECS cluster, interfaced through an Application Load Balancer (ALB). To facilitate API communications between the frontend hosted on GoDaddy and the backend on AWS, I’ve configured the ALB to connect to the ECS cluster and established a default security group that allows unrestricted inbound traffic. This configuration has been effective in ensuring smooth API interactions from the frontend to the load balancer.

Nonetheless, to bolster security, I aim to refine the inbound rules to exclusively permit traffic from the GoDaddy frontend (via Cloudflare) to access the AWS Load Balancer, thereby reducing the backend’s vulnerability to threats.

Inquiry:

Can selective access control be implemented by adjusting or adding DNS records at Cloudflare or GoDaddy? If altering DNS records isn’t a viable path, what strategies are recommended for limiting ALB access solely to Cloudflare/GoDaddy routed requests?

Given the fluid IP ranges of Cloudflare and the complexities in pinning a fixed IP for the GoDaddy frontend, I’m seeking advice on effective security practices to apply in this scenario.

Furthermore, I’m contemplating relocating the frontend hosting from GoDaddy to the AWS ecosystem as a potential measure to address these challenges.

I welcome any advice, experiences, or insights on configuring such an architecture efficiently. Should you have experience with similar configurations or suggestions on securing access to AWS ALB in this context, your contributions would be immensely valued.