2

I have configured to use my ip in the security group on ec2 instance. But I am getting 504 gateway timeout error.

When I make it open to world i.e 0.0.0.0/0 then it works well. I checked for my IP address on the ec2 instance using "who am i" and this is similar to the one in the security group.

Please suggest how to make it work only for my machine.

I have followed the steps mentioned on

possible to whitelist ip for inbound communication to an ec2 instance behind an aws load balancer?

This is how my inbound rule for the security group looks.

 All traffic All All 123.201.54.223/32  Dev Security Rule
gbhati
  • 493
  • 1
  • 8
  • 20

2 Answers2

0

Security groups will not allow you to make it work on a machine-by-machine basis, only by IPs and security groups, eg if you limit ingress by IP, any other machine using that same IP address (usually on same network/access point etc) will also be allowed in, not just your machine.

If you are using a load balancer, then it is the load balancer that should have access to your instance via its security group, and your access via IP should be controlled in the load balancer's security group, so you should use the settings you have quoted (at least to begin with!) on your LB security group, not your instance security group.

With the instance or group of instances (ie those that are behind the load balancer) in their security groups you want to only allow ingress from the load balancer security group, there's no need to set an IP address ingress (unless you want to allow eg ssh access from specific IP addresses or want them to talk to a database instance).

danimal
  • 1,567
  • 13
  • 16
  • Thanks, it works. I have added my ip in the load balancer security group. But what should be the value in the instance security group source field then ? Can I make it anywhere in this SG ? – gbhati Aug 23 '19 at 05:44
  • No, make it anywhere is risky at the instance level. you can set private IP in the security group as I mentioned in the answer. – Adiii Aug 23 '19 at 05:55
  • @Adiii I have put **10.0.0.0/16** in the source field of instance security group, but it does not work. Whereas if I put the security group id of Load Balancer in the source field of instance security group then it works. Why is this happening ? – gbhati Aug 23 '19 at 06:54
  • 1
    so its might be the case of private IP is different of LB, btw security group ID is recommended option by AWS. you are doing right go with SG ID. – Adiii Aug 23 '19 at 06:58
  • @Adiii I have say two domains a.com, b.com and I need to have different IP addresses whitelisting for these domains. I have only one Load Balancer. But the security group of this load balancer will be common for all domains. So, how can I whitelist different IP addresses for different domains ? – gbhati Aug 23 '19 at 07:01
  • if you want to LB public then it will work with the existing setting for both, but if you want to make it specific then you define multiple IPS in SG inbound field. – Adiii Aug 23 '19 at 07:07
  • @Adiii I did not get this fully. So my requirement is I want 1.2.3.4 IP address to access a.com and 5.6.7.8 to access b.com. But I have only one LB and I can not put these two IP addresses in LB SG, otherwise 1.2.3.4 will be able to access b.com which isn't supposed to be the case. Please advise on this. – gbhati Aug 23 '19 at 07:33
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/198353/discussion-between-adiii-and-gautam-kumar). – Adiii Aug 23 '19 at 07:35
  • @danimal My requirement is that say project is given to two clients say a.com and b.com with having their network addresses as 1.2.3.4 and 5.6.7.8 respectively. And then they want to use the project internally. Means network address 5.6.7.8 should not be able to use domain a.com. But as I have only one load balancer where in the LB SG I have mentioned these two network addresses. So, to restrict access to a.com to only 1.2.3.4 , Will I have to use another load balancer ? – gbhati Aug 23 '19 at 08:47
  • you should probably ask this as another question but I would very much question the strategy of sharing a load balancer between two separate clients, who may have very different needs and usage patterns, security compliance requirements, not to mention SSL certificates (which would in most cases be handled by the load balancer)... I would certainly advise giving each client their own load balancer! – danimal Aug 23 '19 at 09:35
  • @danimal How can I create multiple load balancers which listens on the same port 443 ? If I want to restrict to one LB only then is there any way to not allow one network registered for one instance to access the second instance with different network address, as mentioned in above comment ? – gbhati Aug 26 '19 at 09:38
  • @gbhati please ask this as another question, the comments are getting out of hand! – danimal Aug 27 '19 at 08:44
0

504 gateway timeout error It's mean your LB not able to communicate with the desired instance and you are able to communicate with LB.

All traffic All All 123.201.54.223/32 Dev Security Rule This will only allow traffic from you IP not Load Balancer IP.

You do not need to mention your IP in the security group of EC2, You have to allow traffic from LB that is 10.0.0.0/16.

HTTP 504: Gateway Timeout

Description: Indicates that the load balancer closed a connection because a request did not complete within the idle timeout period.

  • Cause 1: The application takes longer to respond than the configured idle timeout.

Solution 1: Monitor the HTTPCode_ELB_5XX and Latency metrics. If there is an increase in these metrics, it could be due to the application not responding within the idle timeout period. For details about the requests that are timing out, enable access logs on the load balancer and review the 504 response codes in the logs that are generated by Elastic Load Balancing. If necessary, you can increase your capacity or increase the configured idle timeout so that lengthy operations (such as uploading a large file) can complete. For more information, see Configure the Idle Connection Timeout for Your Classic Load Balancer and How do I troubleshoot Elastic Load Balancing high latency.

  • Cause 2: Registered instances closing the connection to Elastic Load Balancing.

Solution 2: Enable keep-alive settings on your EC2 instances and make sure that the keep-alive timeout is greater than the idle timeout settings of your load balancer.

ts-elb-errorcodes-http504

Adiii
  • 54,482
  • 7
  • 145
  • 148