The security group assigned to it has both Inbound and Outbound rule as ALL traffic and ALL port range, so why does it say it's not allowing traffic on that listener port?
If the LoadBalancer was created by ElasticBeanstalk environment, you would have to add the listener in the ElasticBeanstalk configurations
Related
I am running my tasks (in public subnets) using AWS Fargate, and an Internet-facing NLB distributes the traffic to all the available tasks through a target group. I have a security group added to the service that only allows the the NLB's IP. We are planning to use cloudflare as a reverse proxy for all the traffic coming to this NLB. How do I whitelist the cloudflare IPs so that no one else can reach this NLB?
If you're using a Network Load Balancer, update the security groups
for your target instances because Network Load Balancers don't have
associated security groups.
If your target type is an IP, add a rule to your security group to
allow traffic from your load balancer's IP address to the target IP
address.
If your target type is an instance, add a rule to your
security group to allow traffic from your load balancer's IP address
and clients to the target IP address.
I think it's not possible to add a security group to an NLB. Ref: https://aws.amazon.com/premiumsupport/knowledge-center/security-group-load-balancer/
If I add the cloudflare IPs to the security group of the service then wouldn't it prevent the load balancers from making a connection, or is the IP of the actual client forwarded till here?
You would need to enable Client IP preservation in the Target Group of the Network Load Balancer. Then in the security group of your target(s) (your ECS service, EC2 instance, etc..) you would allow those specific IPs.
I have a setup like this.
Application Load Balancer(internet facing) LB1 with entry in Route 53 as loadbalancer1.com
LB1 is in security group sg1 which has inbound rule to accept all Https requests.
LB1 has target group attached which has an EC2 instance instance1 which belongs to security group sg2
sg2 has inbound rule which specifies traffic can only come from sg1
I have another EC2 instance instance2 in Security Group sg3. This instance wants to access instance1. It does this by calling the load balancer loadbalancer1.com(on port 443 i.e Https)
This setup works. Now I want to make an improvement. Since loadbalancer1.com will only be accessed from instance2. I want to change inbound rules of security group sg1 to accept traffic only from security group sg3. If I do this, loadbalancer1.com is no more reachable from instance2.
Any idea why?
It's a very good question. TL;DR: it only works for internal traffic that doesn't leave the VPC.
Here is what's going on in more detail:
When the instance2 accesses the internet-facing load balancer, the traffic first leaves your VPC and goes to the public internet. Then the traffic reaches the ELB through some network routings, and the ELB forwards the traffic to the instance1.
When the traffic leaves the AWS VPC and re-enters it, the source SG metadata associated with the traffic is "gone". From the SG of the ELB point of view, it only knows that the traffic is originated from the public IP address of instance2.
According to the Security group rules documentation:
When you specify a security group as the source or destination for a rule, the rule affects all instances that are associated with the security group. Incoming traffic is allowed based on the private IP addresses of the instances that are associated with the source security group (and not the public IP or Elastic IP addresses).
A retail website is deployed on a ECS cluster - in a private subnet - behind ELB Application Load Balancer(ALB). What is the best method to ensure that the requests to ECS cluster are coming from ALB only?
A. Configure the inbound rule of ECS security group to accept requests only from ALB security Group.
B. Configure the inbound rule of ECS security group to deny requests from resources other than ALB.
C. Configure the inbound rule of ECS security group to accept requests only from the IP address of the ALB.
D. Create network ACL rules for the private subnet to accept requests only from the IP address of the ALB.
My question is: What's the different between A and C? Why A is right from the Answer? Thanks!
The configuration would be:
A Security Group on the Load Balancer (LB-SG) that allows inbound traffic (eg on port 80/443)
A Security Group on the ECS cluster (ECS-SG) that permits inbound access from LB-SG
By referring to LB-SG, any resource supporting the Load Balancer will be permitted to send traffic to the ECS cluster. There is no need to update configurations when the Load Balancer adds/removes additional AZs or expands to handle additional traffic.
Thus, A would be the most correct answer.
The health check in my target group fails after I switched my load balancer type from "application" to "network". I need to use the network load balancer in order to do a vpc link in api gateway. I attached a security group to my ALB but this is no longer needed for the NLB.
I understand the the NLB operates on Layer 4. My ALB listened for HTTPS on port 443 and the target group HTTP on port 80. Now, my NLB listens for TCP on port 80 and the target group TCP on port 80.
If I alter the security group attached to my EC2 instances and allow All TCP traffic from anywhere then the health check starts passing again. But, I don't want to allow traffic from anywhere. I also tried setting source to my vpc security group, but this did not work either.
Therefore, I am not sure what I should be setting source to in my security group. In my security group, is there a way I can restrict All TCP to just internal traffic? Does the NLB do something different to ALB which might be causing my health check to fail?
Ended up just using the cidr range of all subnets attached to the network load balancer.
It appears that for Network Load Balancers you have to just allow all traffic for everything in the NLB or restrict it to the cidr range of all subnets attached to the load balancer.
I have recently added a ALB for 2 instances in EC2.
I want to make the ALB and EC2 instances to be private so I added the security group for each services.
What I did is that I added the IP Addresses in HTTPS of the EC2 instances in the ALB sg. vice versa in the EC2 sg.
In Route 53. I made a subdomain to link in the DNS name of ALB.
I tried to test it first using sg that is public and it works fine and can access the EC2 application.
But after I tried to set the sg for both the ALB and EC2.
When I test it, It can't access it.
Where did I go wrong?
A security group can allow traffic from a CIDR range of IP addresses, or from another Security Group. Thus, you should configure the following Security Groups:
ALB-SG: Allow HTTP/S from 0.0.0.0/0 (if you want it open to the world). Associate it with the ALB.
App-SG: Allow HTTP from ALB-SG. Associate it with your EC2 instances (or Auto Scaling group Launch Configuration).
The Application Security Group (App-SG) is thus permitting incoming traffic from the Load Balancer. Or, more specifically, from any resource that is associated with ALB-SG.
Route 53 should have a CNAME record pointing your desired domain name to the DNS Name of the Load Balancer.