How to restrict elastic beanstalk web app using security groups? I tried allowing HTTP/HTTPS inbound rules to my IP address plus the eb load balancers but I get a 504 gateway time out error.
I get the IP address by looking up the network interface associated with the particular eb load balancer under EC2 > Network & Security > Network Interfaces.
IP addresses of the load balancer are subject to change. You have to allow inbound connections from the security group ID of the load balancer, not its IP address.
I solved it by adding load balancer security group to EB instance and then adding my IP to load balancer security group.
Related
I am running my tasks (in public subnets) using AWS Fargate, and an Internet-facing NLB distributes the traffic to all the available tasks through a target group. I have a security group added to the service that only allows the the NLB's IP. We are planning to use cloudflare as a reverse proxy for all the traffic coming to this NLB. How do I whitelist the cloudflare IPs so that no one else can reach this NLB?
If you're using a Network Load Balancer, update the security groups
for your target instances because Network Load Balancers don't have
associated security groups.
If your target type is an IP, add a rule to your security group to
allow traffic from your load balancer's IP address to the target IP
address.
If your target type is an instance, add a rule to your
security group to allow traffic from your load balancer's IP address
and clients to the target IP address.
I think it's not possible to add a security group to an NLB. Ref: https://aws.amazon.com/premiumsupport/knowledge-center/security-group-load-balancer/
If I add the cloudflare IPs to the security group of the service then wouldn't it prevent the load balancers from making a connection, or is the IP of the actual client forwarded till here?
You would need to enable Client IP preservation in the Target Group of the Network Load Balancer. Then in the security group of your target(s) (your ECS service, EC2 instance, etc..) you would allow those specific IPs.
I created an internal network load balancer (NLB) to connect to EC2 instances on a private subnet. I want to restrict access to the EC2 instances only from the network load balancer. I used these instructions https://docs.aws.amazon.com/elasticloadbalancing/latest/network/target-group-register-targets.html#target-security-groups but it did not work.
Basically, I added the IP address of the network interface of the NLB to the security group with my specific port (eg: 8080 10.4.2.9/32) allowed but that did not work. When i switched to all allow (eg: 8080 0.0.0.0/32) it worked, but i do not want other instances to have access to the ec2 instance.
Any ideas on why this is not working?
Thanks
For what you are trying to accomplish, NLB is the wrong load balancer.
NLB is a layer 4 load balancer. This means that the IP address that you see (at the EC2 instance) is the IP address of the client and not the IP address of the load balancer. With NLB you must allow the client's IP address in your security group.
You want a layer 7 load balancer to implement what you want to do (block other systems in your VPC from accessing your EC2 instances directly). This means ALB or the classic ELB.
If you're using a Network Load Balancer, update the security groups
for your target instances, because Network Load Balancers do not
have associated security groups.
If your target type is an IP, add a rule to your security group to
allow traffic from your load balancer to the target IP.
If your target type is an instance, add a rule to your security group to
allow traffic from your load balancer and clients to the target IP.
You can allow traffic in the EC2 instance security group. As your
instance is in private subnet for that you need to lunch load
balancer in the same region but in public subnet.
Know about your use case first.
Best use cases for Network Load Balancer:
When you need to seamlessly support spiky or high-volume inbound TCP
requests.
When you need to support a static or elastic IP address.
If you are using container services and/or want to support more than one
port on an EC2 instance. NLB is especially well suited to ECS (The
Amazon EC2 Container Service).
security-group-load-balancer
new-network-load-balancer-effortless-scaling-to-millions-of-requests-per-second
what-is-a-network-load-balancer
I have recently added a ALB for 2 instances in EC2.
I want to make the ALB and EC2 instances to be private so I added the security group for each services.
What I did is that I added the IP Addresses in HTTPS of the EC2 instances in the ALB sg. vice versa in the EC2 sg.
In Route 53. I made a subdomain to link in the DNS name of ALB.
I tried to test it first using sg that is public and it works fine and can access the EC2 application.
But after I tried to set the sg for both the ALB and EC2.
When I test it, It can't access it.
Where did I go wrong?
A security group can allow traffic from a CIDR range of IP addresses, or from another Security Group. Thus, you should configure the following Security Groups:
ALB-SG: Allow HTTP/S from 0.0.0.0/0 (if you want it open to the world). Associate it with the ALB.
App-SG: Allow HTTP from ALB-SG. Associate it with your EC2 instances (or Auto Scaling group Launch Configuration).
The Application Security Group (App-SG) is thus permitting incoming traffic from the Load Balancer. Or, more specifically, from any resource that is associated with ALB-SG.
Route 53 should have a CNAME record pointing your desired domain name to the DNS Name of the Load Balancer.
I have a load balancer created in my VPC with two subnets. Now I want to open a firewall rule from within my company intranet. I have no control over this firewall. But to open a rule on the firewall - the firewall team is accepting only ip addresses and not the DNS names.
But since the IP address of the load balancer keeps changing I can't give it to the firewall team. That's where I am stuck.
How can I open a firewall rule to an AWS load balancer from within my intranet?
You are correct that an Application Load Balancer does not provide static IP addresses.
You might be able to change to a Network Load Balancer:
Elastic Load Balancing creates a network interface for each Availability Zone you enable. Each load balancer node in the Availability Zone uses this network interface to get a static IP address. When you create an Internet-facing load balancer, you can optionally associate one Elastic IP address per subnet.
It is also possible to put a Network Load Balancer in front of an Application Load Balancer to gain the benefits of both.
See: Using static IP addresses for Application Load Balancers | AWS Networking & Content Delivery Blog
So I set up a proxy server in AWS EC2 (let's say EC2 A) under Elastic Load Balancer with AWS AutoScaling groups... So I have 5 of EC2 : A under this elastic load balancer that has one DNS server endpoint for this proxies.
Through this proxy DNS (e.g. http://myelb.elb.aws.com), I want to send HTTP request from EC2 B.
Then where should I set up the security group?
And what kind of security rules for this program flow?
I tried to add EC2 A to the Elastic Load Balancer but it keeps being OutofService, never got to InService mode.
OutofService indicates that your Elastic Load Balancer is either not ready, or the instances are failing their Health Check. If you point to the little "i" information icon, it will explain why an instance is not InService.
Within your Elastic Load Balancer, take a look at the Health Check tab and confirm that it is configured correctly. It will either be checking a URL (eg /index.htm) or checking a port (eg port 80). If your "A" servers are listening on port 80, the quickest way to pass the health check is to set it to TCP and set the Healthy Threshold to 2 attempts.
Your Security Groups should have these settings:
A Security Group on your Elastic Load Balancer (eg ELB-SG) that allows incoming traffic either from the whole Internet (0.0.0.0/0) or at least from your "EC2 B" instance (specifically, it should allow traffic where the source is the name of a security group associated with your B instance).
A Security Group on your "EC2 A" instances that allows incoming traffic from the security group on your Load Balancer (ELB-SG).
If you are worried that your Security Groups are incorrectly configured, start troubleshooting by opening up access to the entire Internet (0.0.0.0/0) and, once you have confirmed connectivity, progressively reduce access to the above settings.