Reputation: 2731
I currently have 3 servers sitting behind a ELB on AWS.
Each of these EC2 instance sit in 3 separate availability zones.
I use the ELB for
SSL Termination
Distribute Load
I have already configured a VPN to access the EC2 Instance for SSH access however I cannot get the ELB to work when I remove the public addresses from the EC2 containers...
I assumed that I could have them allow traffic only on port 80 (443 terminated on ELB) from the ELB sec group, which would mean I wouldn't need Ext IPs as ELB connects directly to them?
I assume i would need to also setup NAT for them to be able to externally access?
Are ELBs not within a subnet?
Tried all variations coming to conclusion they need public IPs but just restrict what has access?
Many thanks in advance!
Upvotes: 1
Views: 2045
Reputation: 1
I had a concern of this getting exposed to public and that can be exploited by DDoS. I had to front it with API Gateway and then trust in VPC using HAProxy more details are here. http://knowmg.blogspot.com/2017/11/why-do-i-need-haproxy-in-aws-stack.html
Upvotes: 0
Reputation: 36123
Assuming your ELB should be publicly accessible, you'll want to setup the following:
0.0.0.0/0
and outgoing access on port 80.If your EC2 instances require outgoing internet access:
0.0.0.0/0
traffic through the NAT.To allow incoming SSH connections to your EC2 instances:
In all cases, restrict the security groups as much as possible:
/32
CIDRs whereever possible, then /24
, then /16
, then /8
. Finally, only allow 0.0.0.0/0
if you truly need global access.Upvotes: 3