Feat/CloudFront distribution での IPv6 無効化オプションの追加 #1121
Closed
+57
−0
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description of Changes
CloudFrontでIPv6を無効化できる設定を追加。
この変更により、cdk.jsonのcloudFrontIPv6Enabledパラメータ(デフォルト値はtrue)を使用してCloudFrontのIPv6を無効化できます。
現在の設定ではデフォルトでIPv6が有効になっていますが、これが接続問題を起こす可能性がありした。
WAFでIPアドレス制限を設定する際、多くの場合IPv4のみを考慮してしまい、IPv6経由でのアクセス制限は考慮されないことがあり、意図しないIPv6での外部公開につながる可能性があります。
また、WAFでIPv6を ALL Deny する設定を入れても、アクセス元が Dual Stack の場合、IPv4の許可設定を正しく入れても、IPv6 が優先されるので、GenUに繋がらないという事象も発生する可能性があります。
Checklist
npm run cdk:testand if there are snapshot differences, executenpm run cdk:test:update-snapshotto update snapshotsRelated Issues
NA