Integrating ELB with CloudFront and WAF
Start course

In this course, we shall be discussing Amazon Elastic Load Balancers (ELBs) and how ELBs integrate with other AWS services to help provide high availability, improve performance, and increase security for your applications.

Learning Objectives

By the end of this course, you will have a greater understanding of:

  • ELBs integrations with key AWS services
  • ELBs importance to Amazon Kubernetes

Intended Audience

Anyone working with AWS Networking will benefit from this course, also if you are:

  • Studying for the AWS Networking Specialty certification
  • Studying for the AWS Solutions Architect certifications

If you are looking to increase your AWS knowledge, this course is for you.


Before attending this course, you should be familiar with Amazon ELB, including the different ELB types and how they are configured. Experience with AWS services such as CloudFront, WAF, and Global Accelerator is also desirable but not required.

For more information on these services, please see our existing courses: 


In this lecture, we'll discuss ELB integration with Amazon CloudFront and AWS Web Application Firewall (WAF). ACME has customers around the globe. Recently, they have been getting complaints from customers in the USA stating that when placing orders from their website,  it is slow. ACME does not want to deploy more web servers in the USA region, but they are willing to have their content distributed close to their customers to reduce latency and therefore increased performance. To that end, they have decided to integrate their current solution with Amazon CloudFront, a news CloudFront to cache content on AWS edge locations close to the customers that need access to it. 

Security is also a concern for ACME. So, as part of this integration, they have decided to use AWS Web Application Firewall (WAF) to provide protection from common web exploits and box. To integrate CloudFront with their solution and take advantage of CloudFront caching of content and this reduced latency, ACME will create a CloudFront distribution and then adjust the Alias records in route 53 to route traffic to the distribution instead of the ELB. When configuring a CloudFront distribution, you select one of more origins and origin is where your content can be found and where CloudFront will fetch content from when one of your customers requests it. 

In our example, the origin will be set to ACME's ELB. Select the protocols to be used to connect the origin and the protocols customers can use to connect the distribution, choose cache time to lives, and select certificate to be used for HTTPS traffic. We could also set a pricing class. The pricing class controls groupings of edge locations that our content can be cached on. The three price classes are: Use all edge locations, this is the most expensive class. Use only North America and Europe, this is the cheapest price in class. And use North America, Europe, Asia, Middle East, and Africa. It is the ACME customers in the USA that have complained about slow response times. So, to keep costs down, ACME might decide to use the only North America and Europe price class for their distribution. Once the distribution is created, you are given a CloudFront domain name. 

It will have a suffix and can be used to connect the distribution and retrieve content. Most customers using CloudFront will want to use their own domain names. ACME might want its customers to use for example. For this to happen, you must add an alternate domain name to your CloudFront distribution, add a digital certificate to your CloudFront distribution. The certificate must include the alternate domain name you added in step one and update the Alias record in route 53 to route users to the CloudFront distribution instead of the elastic load balancer. For more information on creating CloudFront distributions, please see the Cloud Academy course Amazon CloudFront design patterns. AWS Web Application Firewall (WAF) lets you monitor HTTP and HTTPS requests that are sent to selected AWS services and lets you control access to your content. 

To use WAF, you create a WAF access control list that contains rules. A WAF ACL can contain a single rule or a group of rules known as a rule group. You can create your own rule group or use the rule groups provided by AWS. There are even rule groups available to purchase through the Amazon Marketplace. Rules have logic that can inspect traffic and then either allow traffic, deny traffic, count traffic. Count traffic is useful if you wish test the rule or if you want to deny traffic, but only after a certain threshold is met. WAF ACLs can be regional or global. Regional ACLs can be associated with an inspect traffic for: Application Load Balancers, AppSync, and API Gateways. Global ACLs can be associated with an inspect traffic for: CloudFront distributions. ACME could have used AWS WAF directly with its Application Load Balancer, but now they have an integration with CloudFront, they will create an ACL for use with their CloudFront distribution. In the following demonstration, we will create a WAF ACL and associate it with a CloudFront distribution.


About the Author

Mike has worked in IT since 1997, specializing in networking, storage, and architecture. He's been in cloud computing for the last 8 years, working across several cloud platforms but specializing in AWS. He's been involved in many cloud projects over the years covering migrations, hybrid connectivity, security optimization, networking, and storage architecture.

He gained his first training qualification in 1998 and, about 3 years ago, became an AWS Authorized Champion Instructor. He's delivered AWS cloud courses across Europe for a range of clients, with a focus on Architecture, Security, and Networking. He currently holds certifications for the four biggest cloud vendors, including the AWS Solutions Architect Professional, AWS DevOps Engineer, and AWS Advanced Networking specialty certifications.

He lives in the North of England with his wife Frances and their dog Inca.