If we want ALB only accpet traffic from CloudFront, NOT from public www. Then we can add a customer head in CloudFront. In ALB, we set conditional rule to check custom header, if there is no customer header, reject the request.
CloudFront: set a custom header:
ALB: set listener rule:
If the customer header matches, then forward the request to Target group
If not match, then return 503 response
--
You are not able to put ALB into private subnet, it has to be in Public subnet because CloudFront cannot access private subnet.