4

I'm confused how the AWS load balancers work. I have a pretty simple setup...

I have a rest based API that needs to be exposed to the internet (port 80) via my load balancer. I only want the load balancer exposed to the internet traffic. I have a security group setup for my instance that restricts direct access to only my ipaddress for testing purposes.

The load balancer is not ip restricted on http, it just has port 80 open (with a listener to my api service on port 3001). The problem is that the load balancer cannot see my instance if I setup any ip restrictions on the instances in question. Once I remove those restrictions on my instances, the health checks start working and I can access the service through the load balancer. The problem with that is my instances now have ports open to the internet that I don't want.

Is there something additional I need to do to allow the load balancer to access my instances when using ip restrictions?

One final note, my health checks work fine until I add the instance-level ip restrictions so I know the health check is not the problem. I think if I added the load balancer's IP to my whitelist, it would work, but that ip is dynamic and not viable for this purpose.

bstar
  • 271
  • 2
  • 14
  • You are setting IP restriction to what port on your instance when your ELB makes the instance unhealthy ? – Piyush Patil Jul 25 '16 at 18:23
  • I have restricted port 3001 to be open to only my ipaddress. When restricting access, I assumer that's only for internet facing traffic- but I think it might also be restricting my load balancer's access to the instance. ELB does not make the instance unhealthy per se, it just fails the health check. – bstar Jul 25 '16 at 18:30
  • What have you set up in your AWS ELB health check? – Piyush Patil Jul 25 '16 at 18:32

1 Answers1

5

Don't use IP restrictions.

1) Select your LB, select Security tab and note the Security Group ID (something like sg-5555abb). Click on that ID to edit it

2) When you edit your Load Balancer security group, add only one allow rule: HTTP TCP 80 0.0.0.0/0 (and/or 443 if you need it, but you get the idea).

3) Next go to your instance's security group. Allow only Load Balancer's security group to access your instance on port 3001:Custom TCP Rule TCP 3001 sg-5555abb (my-load-balancer). Notice that in Source field you do not enter IP address/mask but Security Group ID from step 1)

http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html#security-group-rules

Dusan Bajic
  • 10,249
  • 3
  • 33
  • 43
  • My load balancer security group does not restrict on IP, just my instance's security group does. I thought the LB would be immune to the instance's security group rules... I figured it accesses the instance over the local amazon network. – bstar Jul 25 '16 at 18:39
  • Sorry, perhaps I was not clear enough, I will expand the answer. – Dusan Bajic Jul 25 '16 at 18:43
  • @bstar I deleted my answer follow this answer this is what you are looking for and will work exactly how you want it. – Piyush Patil Jul 25 '16 at 19:01
  • 1
    Thanks so much to both of you for helping, this fixed the problem! It makes much more sense now, I did not realize that I needed to reference the LB security group here. – bstar Jul 25 '16 at 19:08
  • Well, it's not that you *need* to, but that is about the only way to allow only LB to access your API. You could also use your private subnet CIDR/mask (you have to put whole subnet in `Source` since the LB's private IP can change over time), which would prevent 'the world' from accessing API directly, but still all other instances from your subnet would have access, and that is often undesirable. – Dusan Bajic Jul 25 '16 at 19:15