2

Currently I have an application set up on AWS using application load balancer with 2 EC2 in target group:

DNS -> AWS-ALB -> EC2(2)

I need help allowing only certain IP addresses on the application URL context path.

For eg: www.abc.com should be accessible for all but www.abc.com/xyz should be accessible only to certain IP addresses.

I tried NGINX solution on EC2 and that works only when i hit the EC2 IP directly with allow and deny rules.

varun
  • 135
  • 3
  • 12

2 Answers2

9

I was able to solve this problem by setting up listener rules on the ALB based on path and source IP combined.

Lets say you would like to allow access to www.abc.com/xyz/* from the IP address pool 123.123.123.120/30, and deny to anyone else.

ALB rules:

  1. IF Source IP is 123.123.123.120/30 AND Path is /xyz/* THEN Forward to your-application-target-group

  2. IF Path is /xyz/* THEN Return fixed response 403 (or whatever is suitable in your use case)

  3. IF Requests otherwise not routed THEN Forward to your-application-target-group

https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-update-rules.html

bekmate
  • 91
  • 2
2

You can use WAF with ALB if it's available in the region. You can create a simple rule with two conditions URI matches and IP addresses don't match , as conditions in a RULE works in AND operation, it should match your requirement.

https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-rules-creating.html

James Dean
  • 4,033
  • 1
  • 9
  • 18