How can I distinguish between an External and an Internal ELB in AWS?

Question

I have separate "zones" (VPC's) and in them clustered servers. In the "DMZ" zone I have a cluster with different back and front NIC's. 172.30.x.x serves the Internet facing side while 10.0.x.x serves any backside connections into the (more) secure zone.

Since I am using a clustered environment I have setup load-balancer's (ELB), one for the external connection from the Internet (172.30.x.x) and one internal ELB for the internal-zone (10.0.x.x).

I need to add a ACL (allow/deny) for the listeners on front/back (172.30.x.x / 10.0.x.x) but my problem is that the AWS ELB has the same source IP for both external ELB and internal ELB. The original source IP is only included the X-forwarded-for header won't work as the ACL only can handle source IP and not HTTP headers.

Now the ACL is worthless as both Internet calls and calls from the backside zone has source IP's in the range of 172.30.x.x which is the VPC of where both ELB's "live"...

Any suggestions on how I can distinguish between internal and external IP for a ACL (or setup Security Group or other measure to ensure only backside connections can reach 10.0.x.x listeners)?

Answer 1

ELBs do not have static IPs, so you can't create ACL rules based on that. As a security best practice, your public-facing, external ELBs should be on separate subnets (because of course, you want them spread across multiple Availability Zones) from any ELBs or instances/interfaces that should not receive external traffic.

Move your external ELBs to subnets not used for anything else. This can be accomplished with zero downtime if they're already in use, as you just create the new ELB in the correct subnets, add the backend instances, change any DNS records pointing to the ELB, and you should be good. This allows ACL rules to be created for the appropriate subnet CIDR blocks.