Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do * not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment
Tell us about your request
When using Cloudfront and/or WAF in front of App Runner to hide the services IP-addresses, the services are still reachable on https://foobar.region.awsapprunner.com. While this URL is difficult to just guess, it's still a security (DDoS) risk if they somehow end up in the wrong hands.
If we could access the security group or even better just tick a box to disable the awsapprunner.com URL, this would be solved.
Describe alternatives you've considered
Having some logic in the application level to ignore requests not coming from other AWS services, but this is only a slight protection as the requests will still saturate the App Runner services.
Community Note
Tell us about your request When using Cloudfront and/or WAF in front of App Runner to hide the services IP-addresses, the services are still reachable on https://foobar.region.awsapprunner.com. While this URL is difficult to just guess, it's still a security (DDoS) risk if they somehow end up in the wrong hands.
If we could access the security group or even better just tick a box to disable the awsapprunner.com URL, this would be solved.
Describe alternatives you've considered Having some logic in the application level to ignore requests not coming from other AWS services, but this is only a slight protection as the requests will still saturate the App Runner services.