0

I have ETL servers in a private subnet in my VPC on AWS. These ETL servers are locked down with specific outbound rules per approved outbound IP addresses. I have a service these ETL tools need to communicate with outside the VPC using TLS1.2/443 that uses a DNS name and not an IP address. Let's say "account.service.com". For this reason, it was suggested I consider using an elastic load balancer in the public subnet as a proxy.

If I send requests to the ELB private IP address from the ETL instance, how do I tell the ELB to send those requests on to "account.service.com"?

Essentially, I want the ELB to work as a tunneling proxy, since I can't specify "account.service.com" in my outbound security group rules in the private subnet.

Robin Tanner
  • 25
  • 4

1 Answers1

3

This is not possible.

Elastic Load Balancers can only send traffic to Amazon EC2 instances, and those instances need to be in the same VPC as the Load Balancer.

You would need to use some other technology (eg Squid proxy) in your Public Subnet to send traffic to a non-EC2 destination.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
  • Thanks John. I've been spinning my wheels on this for a while. Is it true I could use squid or haproxy on an ec2 instance? Maybe put the proxy in the public subnet and open the outbound rule to the proxy ec2 instance? I imagine I would need to leave the outbound rule for the public subnet ec2 instance security group wide open for port 443. – Robin Tanner Jun 04 '17 at 01:37
  • You are correct. Traditionally, security groups on EC2 instances permit *all outbound traffic*, but you are welcome to further restrict that, only opening the ports you specifically know will be in use. – John Rotenstein Jun 04 '17 at 01:41