I have recently added a ALB for 2 instances in EC2.
I want to make the ALB and EC2 instances to be private so I added the security group for each services.
What I did is that I added the IP Addresses in HTTPS of the EC2 instances in the ALB sg. vice versa in the EC2 sg.
In Route 53. I made a subdomain to link in the DNS name of ALB.
I tried to test it first using sg that is public and it works fine and can access the EC2 application.
But after I tried to set the sg for both the ALB and EC2.
When I test it, It can't access it.
Where did I go wrong?
A security group can allow traffic from a CIDR range of IP addresses, or from another Security Group. Thus, you should configure the following Security Groups:
ALB-SG: Allow HTTP/S from 0.0.0.0/0 (if you want it open to the world). Associate it with the ALB.
App-SG: Allow HTTP from ALB-SG. Associate it with your EC2 instances (or Auto Scaling group Launch Configuration).
The Application Security Group (App-SG) is thus permitting incoming traffic from the Load Balancer. Or, more specifically, from any resource that is associated with ALB-SG.
Route 53 should have a CNAME record pointing your desired domain name to the DNS Name of the Load Balancer.
Related
I am running my tasks (in public subnets) using AWS Fargate, and an Internet-facing NLB distributes the traffic to all the available tasks through a target group. I have a security group added to the service that only allows the the NLB's IP. We are planning to use cloudflare as a reverse proxy for all the traffic coming to this NLB. How do I whitelist the cloudflare IPs so that no one else can reach this NLB?
If you're using a Network Load Balancer, update the security groups
for your target instances because Network Load Balancers don't have
associated security groups.
If your target type is an IP, add a rule to your security group to
allow traffic from your load balancer's IP address to the target IP
address.
If your target type is an instance, add a rule to your
security group to allow traffic from your load balancer's IP address
and clients to the target IP address.
I think it's not possible to add a security group to an NLB. Ref: https://aws.amazon.com/premiumsupport/knowledge-center/security-group-load-balancer/
If I add the cloudflare IPs to the security group of the service then wouldn't it prevent the load balancers from making a connection, or is the IP of the actual client forwarded till here?
You would need to enable Client IP preservation in the Target Group of the Network Load Balancer. Then in the security group of your target(s) (your ECS service, EC2 instance, etc..) you would allow those specific IPs.
I have a setup like this.
Application Load Balancer(internet facing) LB1 with entry in Route 53 as loadbalancer1.com
LB1 is in security group sg1 which has inbound rule to accept all Https requests.
LB1 has target group attached which has an EC2 instance instance1 which belongs to security group sg2
sg2 has inbound rule which specifies traffic can only come from sg1
I have another EC2 instance instance2 in Security Group sg3. This instance wants to access instance1. It does this by calling the load balancer loadbalancer1.com(on port 443 i.e Https)
This setup works. Now I want to make an improvement. Since loadbalancer1.com will only be accessed from instance2. I want to change inbound rules of security group sg1 to accept traffic only from security group sg3. If I do this, loadbalancer1.com is no more reachable from instance2.
Any idea why?
It's a very good question. TL;DR: it only works for internal traffic that doesn't leave the VPC.
Here is what's going on in more detail:
When the instance2 accesses the internet-facing load balancer, the traffic first leaves your VPC and goes to the public internet. Then the traffic reaches the ELB through some network routings, and the ELB forwards the traffic to the instance1.
When the traffic leaves the AWS VPC and re-enters it, the source SG metadata associated with the traffic is "gone". From the SG of the ELB point of view, it only knows that the traffic is originated from the public IP address of instance2.
According to the Security group rules documentation:
When you specify a security group as the source or destination for a rule, the rule affects all instances that are associated with the security group. Incoming traffic is allowed based on the private IP addresses of the instances that are associated with the source security group (and not the public IP or Elastic IP addresses).
I have a service running on the port 8080 of an EC2 machine in a private subnet. My plan is to establish a VpcLink to the private endpoint using a Network load balancer. Now the network load balancer cannot associate a security group of its own, instead the target security group will come into action here (in this case the security group of the EC2 where my service is running). I am a little confused over how does the security group of the ec2 machine looks like. I need to add a custom TCP rule which will allow traffic to port 8080, but I am confused over what IP range I can give in the source. The API gateway has no IP. Also, it is saying that
Recommended Rules
Inbound Source Port Range Comment
Client IP addresses instance listener Allow traffic from clients on the instance listener port
VPC CIDR health check Allow traffic from the load balancer on the health check port
Based on the comments and from the docs:
Network Load Balancers do not have associated security groups. Therefore, the security groups for your targets must use IP addresses to allow traffic from the load balancer.
If you register targets by IP address and do not want to grant access to the entire VPC CIDR, you can grant access to the private IP addresses used by the load balancer nodes.
Thus, for NLB you either use CIDR range of the subnet where NLB is. Or to be more restrictive you using NLB private addresses. For the IP addresses, you can't get them from CloudFormation. Would have to write custom resources in the CloudFormation to get the IPs from NLB. As a compromise, you could put your NLB in a dedicated subnet, or the same one as instances, and used its CIDR range.
Right now, when I manually enter my EC2 ipv4 address in the browser, I get the webpage back.
How can I restrict the EC2 instance to only receive and send data to the Elastic Load Balancer (ELB) that's attached to it?
Thank you.
1-No one knows your EC2 IP address, so if you put it behind ELB, everyone can see the ELB IP address.
2-You can use the security group to limit access to your EC2 only from ELB.
Edit your EC2 security group and add your ELB security group name, after that, only ELB can access your EC2 directly.
For more info read the following docs:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html
https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-groups.html
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-update-security-groups.html
You should limit access to your ec2 to only traffic from ELB unless you have a specific reason not to.
You will have a security group assigned to ELB such as sg-xxxxxx. Make sure that when you create another security group for your ec2, it's ingress for 80/8080/443 (depending on ports you are using) are not CIDRs specific, but use security group assigned to ELB instead. Obiously make sure that this security group account for both, forwarding traffic and health check traffic, as ELB won't send traffic to unhealthy nodes.
Ideally you have both private and public subnets in your VPC, in which case put your ELB in public and EC2 in private subnets.
If I create an ELB and try to attach the private subnet instances, my health check fails: OutOfService.
Question 1 : Can I get a internal / private IP(not IP but dns name) for Load Balancing. i.e not accessible to the internet?
Question 2 : If I have a public dnsname for my Application Load Balancer. How do I attach EC2 instances that are in my private subnet without an Elastic IP(aren't internet accessible).
I am looking for the best approach. Should we have-
ELB --> public subnet EC2 instances (proxy configuration- */* [private_ip]:[port]/* ) ---> Service from Private Subnet/EC2 instance with health checks here.
The traditional architecture is:
Elastic Load Balancer in public subnet
Amazon EC2 instances in private subnet
Security group on Load Balancer permitting port 80 & 443 from 0.0.0.0/0
Security group on instances permitting port 80 from the Load Balancer security group
An Amazon Route 53 Hosted Zone with a CNAME record set pointing to the DNS Name of the Load Balancer
If your instances are failing the Load Balancer health check, check the following:
The instances should have a security group permitting inbound access from the Load Balancer
The Load Balancer health check should be configured with a path to a web page to use for the health check
The instances should have a functioning web server that is responding to the health checks
If you are using an ELB, I would recommend using Auto Scaling Group to put instances in various AZ/subnets.
Look at this tutorial. The benefit of having an ASG that you can optionally also have scale in/our policies.
The archiceture that you have described ELB (Assuming this is public) -> public EC2 instances (as Proxies) -> Private EC2 instances.
Rather you can have your Private EC2 instances fronted with a ELB. Not sure if you really need the public EC2 instances.
If your health check is failing you need to ensure that:
a. You are creating the ELB in the right VPC.
b. The ELB -> EC2 communication is setup correctly by ensuring you have the right Security Groups in place on the EC2 instances.
A highly recommended way would be to have the EC2 instances SG rules setup in such way that they accept traffic only from the SG of the ELB.