Reputation: 29
I have my website currently running on aws elastic beanstalk and I am using cloudflare CDN to route traffic.
Everything was working fine for about two weeks now until yesterday when my website starting show the error " connection timed out".
If I come back after a few minutes, everything will go back to normal.
After reading through some community posts on cloudflare, I'm thinking the issue maybe that my security groups is blocking some IP addresses from cloudflare.
So I want to ask where should I add the inbound rules for cloudflare IPs, is it on the security group which my load balancer belongs to or the one that my instances belongs to ?
Upvotes: 0
Views: 1014
Reputation: 71
You are correct in that the SG rules that matter are the ones on the load-balancer.
Note: the exception is if you are using a NLB instead of an ALB or classic ELB.
NLBs don't have SGs and you enforce traffic directly on the back-end/EC2 in that case.
If the list of Cloudflare IPs are not 100% static you may want to consider using prefix-lists in your SG rules. Create a prefix-list for Cloudflare IPs and reference that in all your SGs that are depending on openings towards Cloudflare. That way you never have to update a bunch of SGs if the IPs change, you just update the Cloudflare prefix-list in once place, and it takes effect everywhere immediately.
To verify that your SG really is the problem you may want to look into your VPC flowlogs and check if you have a lot of flows in state REJECT, that originate from Cloudflare IPs. If you check the flowlogs for the period when you are experiencing the problem you should see one of two cases, a) you have a lot of REJECT from Cloudflare IPs, or b) you don't have excessive REJECT from Cloudflare IPs.
If it is a) your SG is most likely to blame. If it is b) the traffic never makes it to AWS and your problem is external to AWS and you have to continue your troubleshooting.
CloudWatch Logs Insights may help you query and analyze your flowlogs in a meaningful way.
Upvotes: 1