0

I'm using an intenet-facing AWS ALB (Application Load Balancer) with a ECS cluster(docker), and I want to use it for forward web standard and internal web services traffic.

The application load balancer has a listener for 443 port, it's used for the standard https web connections, it works well (I'm able to connect through browser).

I want to use other listener in another port (10443 for example) for my internal microservices, only my servers must be able to connect to these servers. I created and configured the ALB listener and rules. I have 2 security groups:

  • serversSG: Where are my ECS cluster servers. It allow inbound traffic (all ports) from lbSG. Allow all outbound traffic.
  • lbSG: Load Balancer security group. It allows inbound traffic from everywhere on port 443. It allows inbound traffic from serversSG on port 10443, and allows all outbound traffic.

With these configuration my servers can't connect to the port 10443 on the load balancer.

The only way for connect is allowing connections from everywhere on lbSG for port 10443, but it's a bad security practice.

I'm not using service discovery because I have to use another DNS service (not Route53).

jairud
  • 1
  • 1
  • 1
    Are your servers accessing the load balancer using the internal IP, or the external IP, of that load balancer? If they're using the external IP, your authorizing their security group won't have any effect. – ceejayoz Jul 19 '18 at 19:46
  • It is using external IP. Is there any way to connect to an internal IP to a application load balancer ? – jairud Jul 20 '18 at 01:04

1 Answers1

2

For a public facing load balancer (one in a public subnet), your instances in your private subnet will go thru the NAT Gateway to the public side of the load balancer. This means that your security group needs to use the IP address (EIP) of the NAT Gateway.

John Hanley
  • 4,754
  • 1
  • 11
  • 21