Reputation: 2731
Amazon AWS ELB without public address on servers behind it
I currently have 3 servers sitting behind a ELB on AWS.
Each of these EC2 instance sit in 3 separate availability zones.
I use the ELB for
SSL Termination
Distribute Load
I have already configured a VPN to access the EC2 Instance for SSH access however I cannot get the ELB to work when I remove the public addresses from the EC2 containers...
I assumed that I could have them allow traffic only on port 80 (443 terminated on ELB) from the ELB sec group, which would mean I wouldn't need Ext IPs as ELB connects directly to them?
I assume i would need to also setup NAT for them to be able to externally access?
Are ELBs not within a subnet?
Tried all variations coming to conclusion they need public IPs but just restrict what has access?
Many thanks in advance!
Upvotes: 1
Views: 2045
Answers (2)
Reputation: 1
I had a concern of this getting exposed to public and that can be exploited by DDoS. I had to front it with API Gateway and then trust in VPC using HAProxy more details are here. http://knowmg.blogspot.com/2017/11/why-do-i-need-haproxy-in-aws-stack.html
Upvotes: 0
Reputation: 36123
Assuming your ELB should be publicly accessible, you'll want to setup the following:
- Put your ELB in public subnets.
- Assign to your ELB one or more security groups, allowing incoming access on port 443 from
0.0.0.0/0and outgoing access on port 80. - Create your EC2 instances, often using an Auto Scaling group, but this is not required.
- Put your EC2 instances in private subnets.
- Do not give your EC2 instances public IP addresses.
- Assign to your EC2 instances one or more security groups, allowing incoming access on port 80 from the ELB's security group.
If your EC2 instances require outgoing internet access:
- Setup a NAT (instance or gateway) in a public subnet
- Update the VPC route tables of your private subnets to forward
0.0.0.0/0traffic through the NAT. - Update your EC2 instance's security group to allow outgoing connections on the ports required.
To allow incoming SSH connections to your EC2 instances:
- Setup your VPN or a bastion EC2 instance.
- Update your EC2 instance's security groups to allow incoming connections on port 22.
In all cases, restrict the security groups as much as possible:
- Only allow ports that you know you need, and
- Use
/32CIDRs whereever possible, then/24, then/16, then/8. Finally, only allow0.0.0.0/0if you truly need global access.
Upvotes: 3
Related Questions
- Is it necessary to set public ip on ec2 instance behind internet facing ELB in AWS?
- How to access ELB from an AWS EC2 instance without allowing 0.0.0.0/0?
- AWS ELB ip address
- ELB non-static IP
- Public ELB accessible only from API Gateway
- Why do my ELBs have two IP addresses? How to find them?
- understanding aws ELB and private ip on eth0
- When using an internet facing ELB, do all of the instances behind the load-balancer have to have their own public IPs?
- Do I need an internal ELB if I already have a public ELB pointing to the same location?
- AWS IP Addresses - Are they required if the EC2 instance is behind an ELB?