具有 IP 限制的 AWS WAF

Question

我有一個 AWS API 網關，只能由來自 Salesforce IP 范圍的請求訪問。 如何在 Cloudformation 中使用AWS::WAFv2::WebACL實現這一點？

Answer 1

AWSTemplateFormatVersion:  2010-09-09
Description: 'WAF rule to limit access to requests originating from Salesforce IP ranges only.'

Resources:
  SfdcIPSet:
    Type: AWS::WAFv2::IPSet
    Properties:
      Description: 'Salesforce IP ranges'
      Name: 'SfdcIPSet'
      Scope: REGIONAL
      IPAddressVersion: IPV4
      Addresses:
        - '13.108.0.0/14'
        - '96.43.144.0/20'
        - '136.146.0.0/15'
        - '204.14.232.0/21'
        - '85.222.128.0/19'
        - '185.79.140.0/22'
        - '101.53.160.0/19'
        - '182.50.76.0/22'
        - '202.129.242.0/23'

  SfdcIPRestrictionWebACL:
    Type: AWS::WAFv2::WebACL
    DependsOn:
      - SfdcIPSet
    Properties:
      Name: 'SfdcIPRestrictionWebACL'
      Scope: REGIONAL
      DefaultAction:
        Block: {}
      Description: 'To limit access to Salesforce IP ranges only'
      Rules:
        - Name: 'sfdcIpLimitationRule'
          Priority: 0
          Statement:
            IPSetReferenceStatement:
              ARN: !GetAtt SfdcIPSet.Arn
          Action:
            Allow: {}
          VisibilityConfig:
            SampledRequestsEnabled: true
            CloudWatchMetricsEnabled: true
            MetricName: 'sfdcIpLimitationRule'
      VisibilityConfig:
        SampledRequestsEnabled: true
        CloudWatchMetricsEnabled: true
        MetricName: 'SfdcWebACLMetric'
      Capacity: 1

The list of Salesforce public IP ranges can be found here: https://help.salesforce.com/articleView?id=000321501&type=1&mode=1

要將 WebACL 與 API 網關一起使用，請確保使用正確的 WAFv2 語法：如下所示：

SfdcWebACLAssociation:
    Type: AWS::WAFv2::WebACLAssociation
    Properties:
      ResourceArn: !FindInMap [EnvironmentMapping, !Ref EnvironmentName, sfdcApiGatewayArn]
      WebACLArn: !FindInMap [EnvironmentMapping, !Ref EnvironmentName, sfdcWebACLArn]

我注意到的另一件有點煩人的事情是，在 AWS 控制台中使用“WAF & Shield”的新視圖，您將只能看到 WAFv2 定義。 舊定義只能在經典視圖中看到。