How to SaaS App Gate AWS CloudFront

The following instructions cover configuring IP whitelisting for AWS CloudFront. Before proceeding, please following the instructions to create one or more AWS Exit Nodes. You will use the external IPs of those exit nodes in your CloudFront configuration below.

Create an IP Set for CloudFront in AWS Firewall Manager

In AWS Firewall Manager, create a new IP Set with the Region set to Global (CloudFront).

Add the external IP addresses (assigned via Elastic IP) for the EC2 instances that you created in CIDR format. For example: and

Assign the WAF ACL to CloudFront

In AWS CloudFront, assign the IP Set you created to your CloudFront Distribution. This setting is AWS WAF Web ACL in your CloudFront Distribution settings.

For AWS S3 content, you may also need to create a new Origin Access Identity to restrict access to S3 content exclusively to the CloudFront CDN and the WAF ACL you applied, above. Consult the AWS S3 documentation for more information.

Create a Resource and Authorize Users in Twingate

The last step is to authorize users to access your CloudFront content in the Twingate admin console. If you need help with this step, you can follow these instructions.

  • Create a Resource in Twingate to represent your CloudFront content. Twingate always looks at the FQDN or IP address in the connection request when determining whether a user is authorized for access. For example, if the CloudFront domain you are protecting is, that will be the name of the Resource in Twingate.

  • Authorize users by assigning them and the Resource to a new Group. Add the new Resource to a Group, and assign users to the Group. Any users added to the Group will now be able to access your protected CloudFront content from any network.

Last updated 4 months ago