How to restrict access to AWS Load Balancer so only another specific AWS Load Balancer can have Inbound access?

Question

we currently have an API and website running on AWS Elastic Beanstalk, both with load balancers. Right now we are trying to figure out how to restrict all incoming traffic to the API Load Balancer so the Website load balancer is the only point of access to the API. We have tried to work with the security groups but we can never hit it right.

We have already removed all Inbound access to the API and that restricted all access but we just can't get the Website to access it.

Our finale goal is to have a system where the API can never be reached from the outside but the Website has fully access to it through HTTPS calls.

Hope you guys can help us, thank you in advance!

Answer 1

Your website is running on an EC2 instance, which is only accessible through the ELB. The API server runs in a private subnet and accessible through an internal ELB. You want your website to access the API server. The following steps should solve the issues you are facing:

1. Configure your API load balancer as internal, so it is not accessible out of your VPC.

2. Apply the following security group rules to let application instance access the API server.

WebApp (EC2) SG

80/443 sg-xxxelb (External ELB SG)

External ELB SG

80/443 0.0.0.0/0

Your API server should only be accessible by the WebApp Instance.

Internal (API Server) ELB SG

443 sg-xxxec2 (The SG of the WebApp EC2 instance).