0

I have an app hosted in a Fargate instance. In the security group, if I select the source in the inbound rule to Anywhere-IPv4, it works fine and I can access my web site. But if I change the source to "My IP", I can no longer access the site from my IP address.

Both "My IP" and "whatismyip.com" report the same address. I've tried taking that /32 address and switching it to "custom" and choosing the same address with /24, just to see if that would work, but it didn't.

I've tried it with the "All Traffic" type as well just on the off chance it wants access to some other port other than HTTP, but that made no difference.

Incidentally, my container doesn't have ssh, so I can't ssh into it.

Mark B
  • 183,023
  • 24
  • 297
  • 295
Pete
  • 6,585
  • 5
  • 43
  • 69
  • You are accessing the ECS Fargate instance via its public IP address? You aren't going through a load balancer are you? – Mark B Apr 02 '23 at 14:29
  • No, I'm accessing it via the load balancer using the elastic-ip I assigned to the load balancer. – Pete Apr 02 '23 at 14:35
  • That does raise another issue I'm having, through, which is it's exposing my service on both the public IP AND the elastic IP and I don't want it exposing it on the public IP. – Pete Apr 02 '23 at 14:49

1 Answers1

1

It's failing because you are going through the load balancer, and you are blocking the load balancer's IP address from accessing the ECS task. You need to have two security groups. One for your load balancer, and one for your ECS task.

The security group of your ECS task should only allow incoming requests from the security group of the Load Balancer. You do this by using the Load Balancer's security group ID in the source field of the security group rule.

Then you should go to the security group of your load balancer, and create the "My IP" rule there.

After doing this, your ECS task will only be accessible through the load balancer, and the load balancer will only be accessible from your IP.

Mark B
  • 183,023
  • 24
  • 297
  • 295