Required configuration for Application Load Balancers that are CloudFront origins - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Required configuration for Application Load Balancers that are CloudFront origins

Read this section if you associate your web ACL to an Application Load Balancer and you deploy the Application Load Balancer as the origin for a CloudFront distribution.

With this architecture, you need to provide the following additional configuration in order for the token information to be handled correctly.

  • Configure CloudFront to forward the aws-waf-token cookie to the Application Load Balancer. By default, CloudFront removes cookies from the web request before forwarding it to the origin. To keep the token cookie with the web request, configure CloudFront cache behavior to include either just the token cookie or all cookies. For information about how to do this, see Caching content based on cookies in the Amazon CloudFront Developer Guide.

  • Configure Amazon WAF so that it recognizes the domain of the CloudFront distribution as a valid token domain. By default, CloudFront sets the Host header to the Application Load Balancer origin, and Amazon WAF uses that as the domain of the protected resource. The client browser, however, sees the CloudFront distribution as the host domain, and tokens that are generated for the client use the CloudFront domain as the token domain. Without any additional configuration, when Amazon WAF checks the protected resource domain against the token domain, it will get a mismatch. To fix this, add the CloudFront distribution domain name to the token domain list in your web ACL configuration. For information about how to do this, see Amazon WAF web ACL token domain list configuration.