I've seen a bunch of similar questions like this one, but none give a general answer. I'm new to AWS. I have 2 instances running in my VPC right now. I have an ELB setup in front of them that's working just fine in routing traffic to both. Problem is, both instances also currently can be hit with HTTP from the entire web. I'd like to change things so my instances can only be hit on HTTP through my ELB. How can I do this?
Q: Can I use a single Application Load Balancer for handling HTTP and HTTPS requests? A: Yes, you can add listeners for HTTP port 80 and HTTPS port 443 to a single Application Load Balancer.
To allow or block specific IP addresses for your EC2 instances, use a network Access Control List (ACL) or security group rules in your VPC. Network ACLs and security group rules act as firewalls allowing or blocking IP addresses from accessing your resources.
I found what I was looking for. In security groups, you can add another security group as source under custom IP. It would have been great if Amazon had made it more clear this was allowed, since a security-group isn't a custom IP at all. Anyway, this is how you do it:
I am going to suggest the following additional approach which comes long after the original solution has been accepted. The original solution is perhaps best, but the approach below is straight-forward and if nothing else could assist with troubleshooting.
First, disassociate from the instances any rules or security groups that permit http from the web at large. Be particularly suspicious of 0.0.0.0/0 which means all ip addresses. Then, in the security group applied to the instance, permit port 80/http from the VPC's private address space. If, for instance, your VPC's private address space is 172.31.0.0/16, then permit that range to access your instance via a security group applied directly to the instance. At this point the httpd server logs on the instance should show access attempts from the specific private addresses of the load balancer. Assuming the health check's target file exists and is properly served by httpd, the target group health check status should change from unhealthy to healthy. Note that the load balancer health checker clearly identifies itself in the httpd logs as ELB-HealthChecker.
172.31.3.56 - - [24/Oct/2017:17:02:36 +0000] "GET /index.html HTTP/1.1" 200 265 "-" "ELB-HealthChecker/2.0"
172.31.20.249 - - [24/Oct/2017:17:02:36 +0000] "GET /index.html HTTP/1.1" 200 265 "-" "ELB-HealthChecker/2.0"
172.31.3.56 - - [24/Oct/2017:17:03:06 +0000] "GET /index.html HTTP/1.1" 200 265 "-" "ELB-HealthChecker/2.0"
172.31.20.249 - - [24/Oct/2017:17:03:06 +0000] "GET /index.html HTTP/1.1" 200 265 "-" "ELB-HealthChecker/2.0"
At this point you could restrict the ip addresses permitted by the security group to only those showing up in the httpd logs, but I would be careful, because if the ELB is restarted or if its configuration is changed or reloaded, I doubt that it is guaranteed to reacquire the same private addresses that it held before.
Now with the load balancer acknowledging its targets as healthy it will consider them ready for service and begin to route traffic to them. And per the original poster's goals ("Problem is, both instances also currently can be hit with HTTP from the entire web.") this approach does not permit access to the instances from the entire web.
Most readers here will be familiar with private addressing. For anyone who is not the Wikipedia article is as good a reference as any.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With