Login/Register
possible to whitelist ip for inbound communication to an ec2 instance behind an aws load balancer?
Asked Answered
Solved amazon-ec2whitelistelastic-load-balancer
U

2

6

I have a single ec2 instance running a website behind an elastic load balancer in aws. Mainly because I want to use Amazon's new and free ssl for https.

my challenge is, I need to whitelist my IP address in the security groups so that I am the only person that can see this website (and I can selectively add people as needed).

I've successfully whitelisted my IP address without a load balancer. my challenge is white listing my IP address with the load balancer proxy between my IP address and my ec2 instance.

it appears as if my ec2 instance will not register with the load balancer because the security group for my ec2 does not allow incoming traffic from any IP address except for my own.

I am looking for a way for my load balancer to be able to health check my ec2, yet only allow specific whitelisted ips actually see the website.

Unit answered 4/9, 2016 at 16:59 Comment(2)
Are you using a Classic LB or VPC loadbalancer?Grapheme
vpc load balancerUnit
I
14

If you are using a VPC (which you really should be) then you will have a Security Group attached to the load balancer. That's where you will whitelist IP addresses. The EC2 server just needs to whitelist the Load Balancer's security group.

You can visualize it like this:

Your IP -> Security Group 1 -> Load Balancer -> Security Group 2 -> EC2 Instance(s)

Security Group 1 verifies the IP address is on the whitelist, and allows the traffic through to the load balancer. The Load Balancer sends the traffic along to one of the instances in the pool. Security Group 2 verifies that the traffic is coming from something that belongs to Security Group 1 (the load balancer), which has been whitelisted, and allows it to pass through to the EC2 instance.

Inattention answered 4/9, 2016 at 19:7 Comment(7)
Can I whitelist other security group to Load balancer's security group?Colston
@Jayaprakash, yes you do that by entering the security group ID in the source field.Inattention
No, it is not working if I give security group ID (Group of EC2 instances are in this security group) in the source field, where as if I enter the IP of the EC2 instance, it works.Colston
@Colston you probably need to post that as a separate question on this site with more details then.Inattention
is there possible to whitelist some IP using ssh in AWS EC2?Florella
@Camit1dk yes you would whitelist those IPs for port 22 in the security group.Inattention
@MarkB Thanks, how can I do that through the command line ( SSH ) ?Florella
U
0

I was able to solve the issue, by changing the security group of the EC2 to allow incoming http connections on port 80 from the security group assigned to my load balancer.

and then my load balancer itself allows incoming HTTP traffic on port 80 from anywhere.

so I guess the trick here is, you can allow incoming connections from an IP or a security group.

Unit answered 5/9, 2016 at 15:55 Comment(3)
I thought you wanted to restrict it to just your IP, in which case you should whitelist your IP in the load balancer security group, instead of opening it to all IPs.Inattention
that is correct, I'm still working on that part. for some reason I cannot assign the security group that I want ( containing the white list) to my load balancer. when I go to: load-balancing> load balancers>my-load-balancer> description> security> edit security groups the security group that I created does not show up, I just see default security groups which allow all trafficUnit
You have to assign the security group when you create the ELB, you can't assign a different group later. You might need to recreate the ELB now.Inattention

© 2022 - 2024 — McMap. All rights reserved.