Exposing an Application Load Balancer (ALB) to the public internet might seem like the simplest way to make applications globally accessible. But each public ALB is essentially an open door, accessible to anyone, including hackers, bots, or misconfigured scripts.
Even with firewalls and security groups in place, small human errors can create major vulnerabilities. A misconfigured rule could let unauthorized requests reach your backend, or sensitive APIs might be discovered and exploited.
As applications expand across multiple environments, accounts, or regions, keeping track of which ALBs are public becomes a daunting task. Complexity grows, and so does the risk. In short, public ALBs make your infrastructure fragile, risky, and harder to manage.
Solution: CloudFront with Internal ALB
The best way to mitigate this risk is to use AWS CloudFront in front of an internal ALB. This setup allows global users to access applications securely, while the backend remains completely private inside a VPC.
Architecture Overview
Deploy Internal ALB in a Private Subnet - The ALB is not reachable from the internet, keeping your backend safe.
Configure CloudFront Distribution - CloudFront acts as the global entry point. It connects to the internal ALB via a VPC Endpoint / PrivateLink, ensuring private communication.
Implement Security Controls - Security groups allow traffic only from CloudFront IP ranges.
Optionally, enable AWS WAF for additional protection against malicious requests.
Outcome: Users get fast, global access, and your applications remain private and secure.
Conclusion :
From a cybersecurity standpoint, exposing an ALB to the public internet introduces unnecessary risks. By using AWS CloudFront with an internal ALB, organizations can minimize the attack surface, ensuring that only validated requests from CloudFront reach the backend.
Top comments (0)