Connect to CloudFront through WAF using Twingate

Support / Troubleshooting
1

I followed these 2 manuals:
Create the exit node: AWS Exit Nodes | Docs

And then AWS CloudFront:

But the WAF is still blocking my connection attempts.

I also tried to create a connector (Using the Docker deployment method) and it’s connected, but I still get 403 from the WAF.

Elaboration:

  1. Created an EC2 (In a public subnet).
  2. Created a connector (Using the Docker deployment method)
  3. Created the resource (With the correct DNS name)
  4. Created an IP set (With the EC2’s CIDR)
  5. Created a web ACL (With the IP set I created in step 3).
  6. Connected the web ACL to CloudFront.

I try to connect - Access denied.
Any help would be great.
Thanks,
Oren.

2

Hi @Luc1dd,

I can suggest the following steps to further investigate the issue:

  • While connected to the Twingate client run an nslookup or dig to the hostname served by the WAF. What you’re looking for at this point is for the address to resolve to an IP in the CG-NAT range of 100.x
  • After a minute or so, go check the resource in the Twingate Admin Console and in the activity log you should see your connection attempt. If it is red it means it failed (the connector could not reach the resource), if it is green, it means the connector was able to reach the resource.

If the first step resolves to the 100.x range and the second one shows a successful (green) connection then it would suggest the WAF is improperly configured. Either it has not been set to allow the correct exit IP of the Twingate connector in your network or there is some other reason for it to block the connection.

I hope the above helps, please let us know how you get on with this.