I have a Load Balancer and Auto-Scaling Group. The Load Balancer sends traffic to my Auto-Scaling Group. I have two instances: Instance 7000 (which is listening on port 7000 and is part of the auto-scaling group and gets its traffic from the load balancer) and Instance 8545 (which is listening on port 8545 and is simply a single instance that is not part of the Load Balancer or the Auto-Scaling Group).
I have a load balancer security group ("LB-SG") and a security group for Instance 8545 ("App-SG"). I want Instance 8545 to only allow traffic from Instances that are part of the Load Balancer / Auto-Scaling Group. So I included "LB-SG" as an inbound rule for "App-SG" on port 8545 but it is not working. However, if I simply include the IP address for Instance 7000 on port 8545 as an inbound rule in "LB-SG" it works perfectly. But that doesn't solve my issue because if more instances get added by the Auto-Scaling Group or IP address changes then it won't work.
Edit: reworded for clarity
Your requirements are a little unclear, but here is the general use-case...
If you wish an instance to accept traffic from a Load Balancer, then:
Create a Security Group for your Load Balancer ("LB-SG")
Create a Security Group for your instances ("App-SG")
In App-SG, permit inbound traffic on the desired port from LB-SG
That is, the App-SG rule specifically references LB-SG by its unique name (sg-abcd1234).
Result: Every instance associated with App-SG will permit inbound traffic that is coming from the Load Balancer.
Similarly, if you want a specific instance (Instance-A) to accept traffic from another instance (Instance-B), create a different security group for each instance and add a rule to the Instance-A security group to permit inbound traffic on a given port from the Instance-B security group.
There is no need to use IP addresses.
2nd attempt...
You should create three security groups:
LB-SG for the Load Balancer
Allow inbound 80/443
App-SG for the instances in the Auto Scaling group
Allow inbound 7000 from LB-SG
Extra-SG for the 8545 instance (I didn't know what to call it!)
Allow inbound 8545 from App-SG
Once again, there is no need to reference specific IP addresses.
Side-note: You said "allow traffic from Instances that are part of the Load Balancer / Auto-Scaling Group" -- instances are in the Auto Scaling group, but there are no instances in the Load Balancer. Therefore, I have assumed that the 8545 instance only receives traffic from the App-SG (7000) instances.
Update: Make sure the instances are communicating via Private IP addresses.
Related
I am running my tasks (in public subnets) using AWS Fargate, and an Internet-facing NLB distributes the traffic to all the available tasks through a target group. I have a security group added to the service that only allows the the NLB's IP. We are planning to use cloudflare as a reverse proxy for all the traffic coming to this NLB. How do I whitelist the cloudflare IPs so that no one else can reach this NLB?
If you're using a Network Load Balancer, update the security groups
for your target instances because Network Load Balancers don't have
associated security groups.
If your target type is an IP, add a rule to your security group to
allow traffic from your load balancer's IP address to the target IP
address.
If your target type is an instance, add a rule to your
security group to allow traffic from your load balancer's IP address
and clients to the target IP address.
I think it's not possible to add a security group to an NLB. Ref: https://aws.amazon.com/premiumsupport/knowledge-center/security-group-load-balancer/
If I add the cloudflare IPs to the security group of the service then wouldn't it prevent the load balancers from making a connection, or is the IP of the actual client forwarded till here?
You would need to enable Client IP preservation in the Target Group of the Network Load Balancer. Then in the security group of your target(s) (your ECS service, EC2 instance, etc..) you would allow those specific IPs.
I have a setup like this.
Application Load Balancer(internet facing) LB1 with entry in Route 53 as loadbalancer1.com
LB1 is in security group sg1 which has inbound rule to accept all Https requests.
LB1 has target group attached which has an EC2 instance instance1 which belongs to security group sg2
sg2 has inbound rule which specifies traffic can only come from sg1
I have another EC2 instance instance2 in Security Group sg3. This instance wants to access instance1. It does this by calling the load balancer loadbalancer1.com(on port 443 i.e Https)
This setup works. Now I want to make an improvement. Since loadbalancer1.com will only be accessed from instance2. I want to change inbound rules of security group sg1 to accept traffic only from security group sg3. If I do this, loadbalancer1.com is no more reachable from instance2.
Any idea why?
It's a very good question. TL;DR: it only works for internal traffic that doesn't leave the VPC.
Here is what's going on in more detail:
When the instance2 accesses the internet-facing load balancer, the traffic first leaves your VPC and goes to the public internet. Then the traffic reaches the ELB through some network routings, and the ELB forwards the traffic to the instance1.
When the traffic leaves the AWS VPC and re-enters it, the source SG metadata associated with the traffic is "gone". From the SG of the ELB point of view, it only knows that the traffic is originated from the public IP address of instance2.
According to the Security group rules documentation:
When you specify a security group as the source or destination for a rule, the rule affects all instances that are associated with the security group. Incoming traffic is allowed based on the private IP addresses of the instances that are associated with the source security group (and not the public IP or Elastic IP addresses).
The health check in my target group fails after I switched my load balancer type from "application" to "network". I need to use the network load balancer in order to do a vpc link in api gateway. I attached a security group to my ALB but this is no longer needed for the NLB.
I understand the the NLB operates on Layer 4. My ALB listened for HTTPS on port 443 and the target group HTTP on port 80. Now, my NLB listens for TCP on port 80 and the target group TCP on port 80.
If I alter the security group attached to my EC2 instances and allow All TCP traffic from anywhere then the health check starts passing again. But, I don't want to allow traffic from anywhere. I also tried setting source to my vpc security group, but this did not work either.
Therefore, I am not sure what I should be setting source to in my security group. In my security group, is there a way I can restrict All TCP to just internal traffic? Does the NLB do something different to ALB which might be causing my health check to fail?
Ended up just using the cidr range of all subnets attached to the network load balancer.
It appears that for Network Load Balancers you have to just allow all traffic for everything in the NLB or restrict it to the cidr range of all subnets attached to the load balancer.
I am working fine with my current ELB, but for security reasons i want to restrict connections by allowing just instances in the same security group, so i created an aditional security group just for mange only the ELB, i have no problem while i allow 0.0.0.0/0 to the 443 port, but when i remove the rule i am losing the connection, if i allow the public ip of the instance it will work, but i have several instances so it is not an option, i also tried allowing private CIDR (10.0.0.0/24) of the instances and it does not work, and i also tried allowing same security groups with not success
Thanks in advance
The setup should be:
A security group on the Amazon EC2 instances running your app (SG-App) that permits incoming traffic from the appropriate locations to access the app
A security group on the Load Balancer (SG-LB) that permits inbound connections on port 443 from SG-App
That is, SG-App is permitting inbound connections from any instances associated with SG-App. This is much better than allowing connections "from the same security group" because the instances need different settings to the ELB.
When the instances resolve the DNS Name associated with the Load Balancer, it should resolve to a private IP address (10.0). You can test this by connecting to one of the instances and trying to ping/lookup the ELB DNS Name and seeing what IP address it is using.
I have an instance that hosts a mongodb service and I am trying to allow incoming traffic for port 27017 from an autoscaling group of instances. I am adding the security group (that has the AG instances) I want to access the specific instance, but I see it times out.
Inbound rule:
I have tried allowing a specific address or 0.0.0.0 and it works. Only when I am specifying the security group id it doesn't work.
Any help on this highly appreciated.
Assuming that you also have a Load Balancer, you would want three security groups:
ELB-SG: Allow incoming web traffic as appropriate (eg 80, 443). Associate it with the Load Balancer.
App-SG: Allow incoming traffic from ELB-SG. Associate it with the Auto Scaling Group, which will automatically assign it to the instances launched via Auto Scaling.
Mongo-SG: Allow incoming traffic from App-SG on port 27017. Associate it with the instance running Mongo.
Basically, have the security groups reference another Security Group and they will automatically accept traffic from instances associate with that other security group.