We have a frontend Next.js application running on AWS ECS behind an Application Load Balancer. To get a static IP for this ALB, we use AWS Global Accelerator in front of it.
On the backend, we have an API running on ECS, also behind an ALB. We want to restrict API access to only our frontend ALB by using AWS WAF in front of the API ALB.
What We Did: We whitelisted the static IPs assigned to our frontend's Global Accelerator in AWS WAF. However, AWS WAF does not seem to recognize requests as coming from those static IPs, causing all requests to be blocked.
What We Observed: When analyzing traffic logs, WAF sees different IPs instead of the Global Accelerator's static IPs.
Is restricting API access to only our frontend ALB using AWS WAF and Global Accelerator achievable, or are we approaching this incorrectly?
Is there a better way to enforce access control between our frontend ALB and backend ALB without relying on IP-based filtering?