-2

Hi everybody I’m relatively new to AWS web services and I’m struggling to secure an ALB. My web page works in a simple way there’s an api gateway where the methods are defined, then I have a ALB that balances around N servers. What I’m trying to achieve is limit the communication to the EC2 servers from the ALB only, so nobody can access them directly can somebody help me to know if this can be achieved and how so

Best Regards

Rodrigo Barron
  • 1

2 Answers2

0

This is slightly more complicated then you would expect because your ALB can actually have it’s ip address change.

The best way to do this is to create a VPC and host your api instances there. The VPC and subnet should be public, but don’t give your api instances a public ip address. It’s an option when you create the instance. Make sure the instances https port can be connected to by anyone in the VPC so the ALB’s health checks work.

Some Linux Nerd
  • 3,327
  • 3
  • 19
  • 22
0

Create two security groups:

  • First security group called something like"ALBSecurityGroup" allows http(s) ingress from 0.0.0.0/0. Put the ALB in that. The ALB should be in a public subnet with public IPs.
  • Second security group called something like "ServerSecurityGroup" allows http(s) ingress from "ALBSecurityGroup". Put the servers in that. The servers should ideally be in a private subnet with no public IPs assigned.

If you try to specify egress security groups you can get yourself into circular dependencies. There's ways around it but easiest for someone new to AWS to just leave the egress open, unless you need egress restricted.

Outside of AWS you can do this with IPTables, but might as well make use of AWS features. I do something similar in that I prevent direct access to my web server, I only whitelist my static home IP and CloudFlare CDN IP ranges.

Tim
  • 31,888
  • 7
  • 52
  • 78