3

Our current setup is:

Client -> ALB -> Target Group -> auto-scaled instances

We have some urls that we would like to "hide" behind VPN access such as:

Client -> VPN -> ALB -> Target Group -> auto-scaled instances

For instances with static IP address it is possible to configure security group access to ports from the security group of the VPN instance. But our VPN is set to route only internal traffic and not internet traffic and so it does not route the necessary url.

URL would be for example: "https://www.something.com/admin"

One idea we have is to use custom port: "https://www.something:8099/admin", then in ALB security group configure that port to be accessible only from security group of the VPN instance. That still does not work though as VPN will not route internet traffic.

I have tried to change VPN (openVPN access server) configuration but with no success. Even when I configured the VPN to route all internet traffic, it still didn't work.

Every piece of material I found online about this topic suggests to alter VPN config to route domain to specific IP.

Is there any way of achieving this without having to hardcode IP addresses? Obviously I cannot hardcode the internal ALB IP as it is changing all the time, and I cannot hardcode the final instance traffic as it is auto-scaled and also changing all the time.

Tomas
  • 163
  • 2
  • 6

2 Answers2

0

Domain names are resolved to IP addresses by sending queries DNS servers. If I understood correctly, you want domain name resolve to the internal IP address when people are using VPN.

This can be done by implementing your own DNS server and telling your VPN clients to use that DNS server when connected via the VPN. In the DNS server, you will set up the zone for something.com, where you add A records for the domains / subdomains that point to the internal IP addresses you want to use.

Otherwise this DNS server can act as a normal recursive DNS resolver.

Tero Kilkanen
  • 36,796
  • 3
  • 41
  • 63
  • Not exactly. I don't need any special resolving, all I need is for the ALB to *know* that the traffic came from/through VPN instance. the DNS can be resolved as it is normally, just need to route the traffic to that domain through VPN so AWS can pick it up and apply correct security measures – Tomas Jun 05 '17 at 11:53
0

One solution i can think of is using two record sets like www.example.com and admin.example.com.

www.example.com --> Public ALB(Open to internet) --> Target Group (other then /admin) -> auto-scaled instances

In this attach one more target group which forwards /admin to 404 or error.

admin.example.com --> Internal ALB(Open to VPN) --> Target Group (/admin) --> autoscaled instances

AWS supports split domains if zone/records managed in Route53.

Shubham Bansal
  • 101