Matt The Ninja
Matt The Ninja

Reputation: 2731

Amazon AWS ELB without public address on servers behind it

I currently have 3 servers sitting behind a ELB on AWS.

Each of these EC2 instance sit in 3 separate availability zones.

I use the ELB for

I have already configured a VPN to access the EC2 Instance for SSH access however I cannot get the ELB to work when I remove the public addresses from the EC2 containers...

I assumed that I could have them allow traffic only on port 80 (443 terminated on ELB) from the ELB sec group, which would mean I wouldn't need Ext IPs as ELB connects directly to them?

I assume i would need to also setup NAT for them to be able to externally access?

Are ELBs not within a subnet?

Tried all variations coming to conclusion they need public IPs but just restrict what has access?

Many thanks in advance!

Upvotes: 1

Views: 2045

Answers (2)

Manoj Gupta
Manoj Gupta

Reputation: 1

I had a concern of this getting exposed to public and that can be exploited by DDoS. I had to front it with API Gateway and then trust in VPC using HAProxy more details are here. http://knowmg.blogspot.com/2017/11/why-do-i-need-haproxy-in-aws-stack.html

Upvotes: 0

Matt Houser
Matt Houser

Reputation: 36123

Assuming your ELB should be publicly accessible, you'll want to setup the following:

  1. Put your ELB in public subnets.
  2. Assign to your ELB one or more security groups, allowing incoming access on port 443 from 0.0.0.0/0 and outgoing access on port 80.
  3. Create your EC2 instances, often using an Auto Scaling group, but this is not required.
  4. Put your EC2 instances in private subnets.
  5. Do not give your EC2 instances public IP addresses.
  6. Assign to your EC2 instances one or more security groups, allowing incoming access on port 80 from the ELB's security group.

If your EC2 instances require outgoing internet access:

  1. Setup a NAT (instance or gateway) in a public subnet
  2. Update the VPC route tables of your private subnets to forward 0.0.0.0/0 traffic through the NAT.
  3. Update your EC2 instance's security group to allow outgoing connections on the ports required.

To allow incoming SSH connections to your EC2 instances:

  1. Setup your VPN or a bastion EC2 instance.
  2. Update your EC2 instance's security groups to allow incoming connections on port 22.

In all cases, restrict the security groups as much as possible:

  1. Only allow ports that you know you need, and
  2. Use /32 CIDRs whereever possible, then /24, then /16, then /8. Finally, only allow 0.0.0.0/0 if you truly need global access.

Upvotes: 3

Related Questions