Front Door (CloudFront)
WAF Scope: CLOUDFRONT
Goal:
- Direct ALB access fails
- CloudFront succeeds.
AWS Instance Details
Instance: ip-10-240-5-20.us-east-2.compute.internal
Private IP: 10.240.5.20
AZ: us-east-2a
VPC: vpc-034018e4dd755d7f3
Behind the Curtain (Origin)
Origin: ALB (HTTPS)
Listener:
- default 403
- rule allows only correct header
Private: Web instances in Private Subnets
Note: The ALB cert won’t match the *.elb.amazonaws.com hostname (expected).
Tip: for Windows curl, use
--ssl-no-revoke if schannel revocation checks fail in your terminal window.