SPIKE: Cloudfront CDN blocking some FEC HQ traffic

[exalate-issue-sync[bot]]

Notes: 🔒 https://docs.google.com/document/d/1mZ5NxD9BU6TYM1mQV_TXoKaRJMBeKzqz-cEbwSAsqCs/edit?tab=t.0 🔒 and 🔒 https://docs.google.com/document/d/1EiaohhTQ07gzO9YXlDipOviD1L1i5RwQdy32VkFpLZo/edit?tab=t.0 🔒

Cloudfront is blocking some FEC HQ traffic due to some WAF rules. According to cloud.gov we can upgrade to CDN with WAF plan to address. We’ll need to make sure we’re eligible for this plan - not on the website yet. We will likely need to be off the prototyping tier to have this option.

{{cf update-service -p domain-with-cdn-dedicated-waf -c '

{"alarm_notification_email": "youremail@agency.gov"}

'}}

You must specify a value for “alarm_notification_email” or the update will fail.

• [x] Research options for replicating HQ requests
• [x] Reach out to cloud.gov for help

QA Notes

null

DEV Notes

null

Design

null

See full ticket and images here: FECFILE-1713

[exalate-issue-sync[bot]]

Laura Beaufort commented: [cloud.gov|http://cloud.gov] said we were ok to go ahead and test it.

Custom WAF in place in stage and test:

{{cf update-service stage.fecfile.fec.gov -p domain-with-cdn-dedicated-waf -c '{"alarm_notification_email": "(Laura's email)"}'}}

{{cf update-service test.fecfile.fec.gov -p domain-with-cdn-dedicated-waf -c '{"alarm_notification_email": "(Laura's email)"}'}}

!Screenshot 2024-10-24 at 2.48.05 PM.png|width=705,height=42,alt="Screenshot 2024-10-24 at 2.48.05 PM.png"!

!Screenshot 2024-10-24 at 2.47.45 PM.png|width=705,height=42,alt="Screenshot 2024-10-24 at 2.47.45 PM.png"!

From [cloud.gov|http://cloud.gov]:

This plan includes all of the same functionality as your current CDN plan, but adds:  

• A dedicated WAF web ACL for your CloudFront distribution. At your request, this WAF can be customized with rules that will be specific to the traffic for your distribution. For example, you could block all non-US traffic to your distribution. For now, customizing these rules will require emailing [cloud.gov|http://cloud.gov] support at [+support@cloud.gov+|mailto:support@cloud.gov].
• Route53 health checks on the domains for your distribution. These health checks effectively act as uptime monitors for your domains, notifying you when your domains cannot be reached for at least 1 minute.
• Cloudwatch alarms on the Route53 health checks, so that when the health checks are failing, you can be notified
• A Cloudwatch alarm anytime a DDoS event is detected for your distribution. Please bear in mind that this alarm notification just means that a DDoS event was detected, but not that it has successfully caused an outage, so these notifications are for your awareness only.

A dedicated SNS topic that will send emails to an email address that you specify for the Cloudwatch alarms mentioned above.

[exalate-issue-sync[bot]]

Todd Lees commented: This looks great! I created [https://fecgov.atlassian.net/browse/FECFILE-1729|https://fecgov.atlassian.net/browse/FECFILE-1729|smart-link] to address the placeholder email. I want to confirm that this change didn’t precipitate the 403s [~accountid:712020:eaccd25d-427c-4e4d-a650-909ec0b31071] encountered recently. After that has been confirmed i’ll move this through

[lbeaufort]

@toddlees [https://fecgov.atlassian.net/browse/FECFILE-1729|https://fecgov.atlassian.net/browse/FECFILE-1729|smart-link](creating a system alert email distribution list) is a great follow-up, thank you