Amazon CloudFront is a content delivery network (CDN) offered by the Amazon Web Services (AWS) cloud computing platform. CloudFront consists of a global network of edge locations that cache content—such as websites, applications, and videos—which lets AWS serve this content to users with low latency and high transfer speeds.
Services such as Packagecloud use CloudFront to cache package objects. However, if your computer is behind a firewall, you may need to whitelist CloudFront’s IP range to use these services.
Firewalls help protect and secure networks by controlling the incoming and outgoing traffic between the network and the internet. The strictest firewalls block all traffic that has not been explicitly approved in a whitelist: a set of IP addresses or IP address ranges that are authorized to exchange traffic with the network. This means firewalls may block legitimate traffic if not carefully configured.
Below, we’ll show you how to access content from CloudFront’s IP range uninterrupted by creating a whitelist in your firewall.
Whitelisting CloudFront’s IP range from behind a firewall
To whitelist the CloudFront IP range from behind a firewall, you’ll need to figure out exactly which IP addresses should be permitted. Amazon CloudFront has locations worldwide, so it’s essential to determine from which locations you want to allow traffic.
Downloading the AWS IPs: First, check out the page AWS IP address ranges in the AWS documentation. Here, you’ll find a link to a file called ip-ranges.json. This file contains all of the IP addresses and ranges that AWS uses.
Filtering the CloudFront IPs: Next, you’ll need to filter these IP addresses to look for those that CloudFront uses. Each JSON object in the ip-ranges.json file contains a property named
“service”. For the IP addresses used by CloudFront, the value of this property should be
“CLOUDFRONT”. In other words, the full property should read
“service”: “CLOUDFRONT”. The IP addresses and ranges with this property are those that you need to whitelist in your firewall.
Creating the whitelist rule in your firewall: Each firewall is different, so the exact steps for whitelisting CloudFront IP ranges will depend on your firewall. In general, however, you’ll need to create a new firewall rule that allows (whitelists) traffic from the specified IP ranges.
Testing the whitelist: You’ll want to ensure that the whitelist rule you’ve created is functioning correctly. This involves attempting to access content hosted by CloudFront from a computer behind your firewall and verifying that the content is loading as expected.
Updating the whitelist: Last but not least, you’ll want to update your CloudFront IP whitelist regularly since the list of CloudFront IP addresses and ranges can change over time. You’ll want to check that the IPs in your whitelist are still valid CloudFront IPs and also update the whitelist with any new IPs that appear in the ip-ranges.json file.
(Image courtesy: AWS)