13

I am looking for a way to drop connections from known spam ip addresses on an Amazon's Elastic Load Balancer (ELB)?

I am currently doing this at the web server level (multiple instances, running behind the ELB), but wondering if there is a way to do it at the ELB. This way, I can avoid configuring each web server instance for this.

I typically pull the Drop List from Spamhause.org every day and update my web server configuration

Charles
  • 50,943
  • 13
  • 104
  • 142
Litmus
  • 10,558
  • 6
  • 29
  • 44
  • Update - See AWS WAF, specifically : https://aws.amazon.com/blogs/security/how-to-import-ip-address-reputation-lists-to-automatically-update-aws-waf-ip-blacklists/ – RhysC Sep 22 '17 at 01:57

2 Answers2

10

I would try using VPC ACLs for that. First of all, ELBs inside VPC can use Security Groups but they only specify a traffic you allow in and out of an ELB. To actually block a traffic coming from a certain IP - an ACL would be the best.

For that to work - a pair of a public (internet-facing) and internal ELBs need to be used with internal ELB protected by subnet ACL DENY rules.

Evgeny Goldin
  • 1,860
  • 2
  • 15
  • 16
  • Interesting. Could you elaborate or point me to literature which explains this in more detail? I have never used VPC earlier. Could this change make my setup more complex to manage? – Litmus Nov 21 '13 at 17:09
  • [User Guide](http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Introduction.html) would be a place to start. Yes, introducing VPC makes the setup more secure but more involved, as a result - there are more "moving parts" to manage: [ACLs](http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html), [NAT](http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance.html), [Internet Gateway](http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Internet_Gateway.html), and [Route Tables](http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Route_Tables.html). – Evgeny Goldin Nov 21 '13 at 18:03
  • In EC2-classic (a usual way to launch EC2 instances) instances are always launched in a public network. In VPC they're either launched in a public or a private network. Once in a private network - they can be totally isolated from the external world and only SSH-ed to from specific boxes in a public network (typically SSH gateway) or from inside organization (on-premises) network if VPC is connected to it which it doesn't have to. – Evgeny Goldin Nov 21 '13 at 18:07
  • You can associate a security group with an ELB, as long as it's in a VPC. Then just specify the security group rules as normal to block/allow traffic – Seb Jan 28 '14 at 17:14
  • ACL has a 40 rule maximum per list. Subnet can only use one lust. Makes it unfeasible for any true access control – emmdee Apr 14 '19 at 22:12
0

You can't do this from an ELB that is not instantiated inside a VPC (at the date of this answer). If inside a VPC, check out the other answers. If not, you can switch to something more controlable, such as HAProxy or place CloudFlare (https://www.cloudflare.com/) in front of your ELB, which is probably a better option.

andreimarinescu
  • 3,541
  • 2
  • 25
  • 32