I want to put WAF in front of API Gateway, and with the (little) info I find that is only possible by manually putting an extra Cloudfront distribution with WAF enabled, in front of APIG. It's a bit of a shame, especially since APIG now supports custom domains natively, but it should work.
Now to make the solution secure rather than just obscure, I want to enforce that the APIs can only be accessed through the Cloudfront distro. What is the best option to do this?
Any better ideas? Or perhaps "the right way" to do it exists but I overlooked it?
I am from API Gateway.
Unfortunately, the best solution we have as of now is, to inject an origin custom header in CloudFront and validate that in a custom authorizer (option 4 in your question).
We are already aware of this limitation and not-so-great workaround. We are looking to provide better WAF integration in future, but we do not have an ETA.