[英]AWS WAF with IP restriction
我有一個 AWS API 網關,只能由來自 Salesforce IP 范圍的請求訪問。 如何在 Cloudformation 中使用AWS::WAFv2::WebACL
實現這一點?
AWSTemplateFormatVersion: 2010-09-09
Description: 'WAF rule to limit access to requests originating from Salesforce IP ranges only.'
Resources:
SfdcIPSet:
Type: AWS::WAFv2::IPSet
Properties:
Description: 'Salesforce IP ranges'
Name: 'SfdcIPSet'
Scope: REGIONAL
IPAddressVersion: IPV4
Addresses:
- '13.108.0.0/14'
- '96.43.144.0/20'
- '136.146.0.0/15'
- '204.14.232.0/21'
- '85.222.128.0/19'
- '185.79.140.0/22'
- '101.53.160.0/19'
- '182.50.76.0/22'
- '202.129.242.0/23'
SfdcIPRestrictionWebACL:
Type: AWS::WAFv2::WebACL
DependsOn:
- SfdcIPSet
Properties:
Name: 'SfdcIPRestrictionWebACL'
Scope: REGIONAL
DefaultAction:
Block: {}
Description: 'To limit access to Salesforce IP ranges only'
Rules:
- Name: 'sfdcIpLimitationRule'
Priority: 0
Statement:
IPSetReferenceStatement:
ARN: !GetAtt SfdcIPSet.Arn
Action:
Allow: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: 'sfdcIpLimitationRule'
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: 'SfdcWebACLMetric'
Capacity: 1
The list of Salesforce public IP ranges can be found here: https://help.salesforce.com/articleView?id=000321501&type=1&mode=1
要將 WebACL 與 API 網關一起使用,請確保使用正確的 WAFv2 語法:如下所示:
SfdcWebACLAssociation:
Type: AWS::WAFv2::WebACLAssociation
Properties:
ResourceArn: !FindInMap [EnvironmentMapping, !Ref EnvironmentName, sfdcApiGatewayArn]
WebACLArn: !FindInMap [EnvironmentMapping, !Ref EnvironmentName, sfdcWebACLArn]
我注意到的另一件有點煩人的事情是,在 AWS 控制台中使用“WAF & Shield”的新視圖,您將只能看到 WAFv2 定義。 舊定義只能在經典視圖中看到。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.