14

I've seen a bunch of similar questions like this one, but none give a general answer. I'm new to AWS. I have 2 instances running in my VPC right now. I have an ELB setup in front of them that's working just fine in routing traffic to both. Problem is, both instances also currently can be hit with HTTP from the entire web. I'd like to change things so my instances can only be hit on HTTP through my ELB. How can I do this?

Community
  • 1
  • 1
Eli
  • 36,793
  • 40
  • 144
  • 207

2 Answers2

26

I found what I was looking for. In security groups, you can add another security group as source under custom IP. It would have been great if Amazon had made it more clear this was allowed, since a security-group isn't a custom IP at all. Anyway, this is how you do it: rules

Eli
  • 36,793
  • 40
  • 144
  • 207
  • You could also put your EC2 instances in a private subnet, which means there is no means to access them from the Internet. Also, there is no need for them to have Public IP addresses since the ELB will use an internal IP address to access them. – John Rotenstein Nov 29 '14 at 10:32
  • @Eli - where is that security group applied to? The ELB or the EC2 instance itself? – hybrid9 Dec 09 '15 at 03:50
  • @hybrid9 you edit the rules for the EC2 instances' security group to allow HTTP/HTTPS access from the security group of the ELB. – Eli Dec 09 '15 at 07:34
  • @Eli Then, in your default SG (assigned to the ELB) you have opened the port 80 to everybody and in the EC2 the source is the SG id, isn't it? – Sergi Mar 27 '18 at 18:28
  • Sort of. I assigned a non-default security group to my LBs. On that group, I opened just port 80 (and port 443) to everybody. That's the group I added as having access on port 80 to the ec2 instances. – Eli Mar 27 '18 at 19:16
1

I am going to suggest the following additional approach which comes long after the original solution has been accepted. The original solution is perhaps best, but the approach below is straight-forward and if nothing else could assist with troubleshooting.

First, disassociate from the instances any rules or security groups that permit http from the web at large. Be particularly suspicious of 0.0.0.0/0 which means all ip addresses. Then, in the security group applied to the instance, permit port 80/http from the VPC's private address space. If, for instance, your VPC's private address space is 172.31.0.0/16, then permit that range to access your instance via a security group applied directly to the instance. At this point the httpd server logs on the instance should show access attempts from the specific private addresses of the load balancer. Assuming the health check's target file exists and is properly served by httpd, the target group health check status should change from unhealthy to healthy. Note that the load balancer health checker clearly identifies itself in the httpd logs as ELB-HealthChecker.

172.31.3.56 - - [24/Oct/2017:17:02:36 +0000] "GET /index.html HTTP/1.1" 200 265 "-" "ELB-HealthChecker/2.0"
172.31.20.249 - - [24/Oct/2017:17:02:36 +0000] "GET /index.html HTTP/1.1" 200 265 "-" "ELB-HealthChecker/2.0"
172.31.3.56 - - [24/Oct/2017:17:03:06 +0000] "GET /index.html HTTP/1.1" 200 265 "-" "ELB-HealthChecker/2.0"
172.31.20.249 - - [24/Oct/2017:17:03:06 +0000] "GET /index.html HTTP/1.1" 200 265 "-" "ELB-HealthChecker/2.0"

At this point you could restrict the ip addresses permitted by the security group to only those showing up in the httpd logs, but I would be careful, because if the ELB is restarted or if its configuration is changed or reloaded, I doubt that it is guaranteed to reacquire the same private addresses that it held before.

Now with the load balancer acknowledging its targets as healthy it will consider them ready for service and begin to route traffic to them. And per the original poster's goals ("Problem is, both instances also currently can be hit with HTTP from the entire web.") this approach does not permit access to the instances from the entire web.

Most readers here will be familiar with private addressing. For anyone who is not the Wikipedia article is as good a reference as any.

rriehle
  • 362
  • 3
  • 9