Reputation: 7549
AWS: Make route private from outside world
I have a web application currently running on an EC2 instance with MySQL running alongside it.
I'm building another backend batch service that needs information from the MySQL database. However, I don't want it to access the DB directly. What I want to do is build in a few API routes in the web application, i.e. /private/foo, /private/bar that are only accessible internally (e.g. within the VPC), while all other routes will continue to work as per normal.
I'm wondering how I can go about setting that up?
Upvotes: 0
Views: 165
Answers (2)
Reputation: 402
Run an http/s Apache reverse-proxy server in front of your web application. Use this new web-tier to control all your internal and external http/s traffic.
External Traffic:
- Configure Apache to listen on 80/443 for external traffic.
- Use and configure Apache module Proxy-Pass to reverse-proxy all your web-application traffic in the Apache virtualhost configuration for port 80/443.
- Block access to
/privateusing<Location >directives within your 80/443 virtualhost config - Update your DNS records to point to this web-tier instead of your web-application
How to accommodate your internal traffic:
- Have Apache listen on a new port, e.g. 8080
- Configure the Apache virtualhost for port 8080 to reverse proxy the internal http requests to your web-application, i.e.
/private
How to secure the design:
- Use AWS security groups to block any external traffic on port 8080.
- Double-down on your security rules by using Apache
allow,denyrules within your Apache 8080 virtualhost config to ensure traffic is only permitted from your internal ip-range
An alternative Apache config to the above:
Don't bother with port 8080, and use 80,443 for all internal and external traffic. Internal traffic would make requests against a different domain name, and your internal and external traffic can be managed/separated using Apache name-based virtual-hosting https://httpd.apache.org/docs/current/vhosts/name-based.html
Upvotes: 1
Reputation: 24513
Your VPC uses a private subnet (you are able to configure the address). All you need to do is make sure that traffic coming to your server originated from the same subnet.
Since you want the existing webapp to serve these private routes, you'll need to look for the originating IP address inside your code. (If you don't know how to do this, you might ask a new question about that.)
An alternative is to run a second service (or the same service but listen on a second port). If all private traffic comes in on port 8081 (for example) and all public traffic comes in on port 8080, you can just use AWS's security groups to allow only subnet-local traffic to port 8081 and all traffic to 8080.
Upvotes: 1
Related Questions
- Is it possible to make an AWS HTTP API gateway private?
- AWS Route Table config for public facing web server
- Allow resources in a private subnet access access between them and egress to internet
- AWS Ec2 Access which is private VPC
- AWS VPC Restrict outbound access to certain URL
- How to make an AWS EC2 instance accessible only via a private IP address?
- Peering AWS VPC private to NAT
- AWS private API Gateway through VPC Endpoint
- Private network on AWS
- aws: accessing public network over nat gateway without giving full access to inbound connections