A company has deployed an Application Load Balancer (ALB) to manage traffic to their public-facing applications. Recently, they experienced a DDoS attack, prompting them to place Amazon CloudFront in front of the ALB to prevent direct access to the EC2 instances. Despite this measure, they notice that some traffic is bypassing CloudFront and still reaching the ALB, potentially exposing the EC2 instances to direct traffic. What two actions should the company take to ensure that only traffic from CloudFront reaches the EC2 instances behind the ALB?