My architecture is like so: I have a static website xyz.com hosted on s3 and served with cloudfront. The website is accessing an api that seats behind a load balancer. I want to make sure that only requests from my website xyz.com are allowed thorough my load balancer to my api. I thought that the flow is user -> cloudfront -> load balancer - so I added a rule on my load balancer's security group to only allow http access if it comes from cloudfront via prefix list for Amazon CloudFront.
This prevents my website from accessing the load balancer. So, I guess I was wrong, and the flow is that the user (browser) sends the request to the api and not cloudfront (So cloudfront is only sharing the website's assets for rendering)? Am I correct? If so, is there a way to make sure that only requests from my website go through?