How to limit access to my Ghost app to cloudfront only

Hey there, I installed Ghost on an EC2 in AWS. The EC2 instance also has an elastic IP assigned. After running “ghost install” it said its running successfully in the instance, but it did not work - what I see is the nginx default page. So I turned to the docs - it says in the documentation of Ghost, that I must configure the url as well. So I used: "ghost config set url .

But I have a question - How should I configure nginx, if what I aim for, is to allow access to the ghost blog only through Cloudfront, and NOT directly to the EC2 instance’s IP? I am a little confused by the role that nginx would play here, I guess I need a bit of guidance on how to use nginx for my purpose. Thank you, best regards