Amazon AWS ELB without public address on servers behind it

1
votes

I currently have 3 servers sitting behind a ELB on AWS.

Each of these EC2 instance sit in 3 separate availability zones.

I use the ELB for

  • SSL Termination

  • Distribute Load

I have already configured a VPN to access the EC2 Instance for SSH access however I cannot get the ELB to work when I remove the public addresses from the EC2 containers...

I assumed that I could have them allow traffic only on port 80 (443 terminated on ELB) from the ELB sec group, which would mean I wouldn't need Ext IPs as ELB connects directly to them?

I assume i would need to also setup NAT for them to be able to externally access?

Are ELBs not within a subnet?

Tried all variations coming to conclusion they need public IPs but just restrict what has access?

Many thanks in advance!

2
amazon-web-servicesamazon-ec2amazon-elb
ELB is managed service. The service in the background launches ec2 instances in the public subnet of your VPC. The public subnet can connect to your private subnet without a NAT. You will only need to setup a NAT when your instances in private subnet need external connectivity.Shibashis

2 Answers

3
votes

Assuming your ELB should be publicly accessible, you'll want to setup the following:

  1. Put your ELB in public subnets.
  2. Assign to your ELB one or more security groups, allowing incoming access on port 443 from 0.0.0.0/0 and outgoing access on port 80.
  3. Create your EC2 instances, often using an Auto Scaling group, but this is not required.
  4. Put your EC2 instances in private subnets.
  5. Do not give your EC2 instances public IP addresses.
  6. Assign to your EC2 instances one or more security groups, allowing incoming access on port 80 from the ELB's security group.

If your EC2 instances require outgoing internet access:

  1. Setup a NAT (instance or gateway) in a public subnet
  2. Update the VPC route tables of your private subnets to forward 0.0.0.0/0 traffic through the NAT.
  3. Update your EC2 instance's security group to allow outgoing connections on the ports required.

To allow incoming SSH connections to your EC2 instances:

  1. Setup your VPN or a bastion EC2 instance.
  2. Update your EC2 instance's security groups to allow incoming connections on port 22.

In all cases, restrict the security groups as much as possible:

  1. Only allow ports that you know you need, and
  2. Use /32 CIDRs whereever possible, then /24, then /16, then /8. Finally, only allow 0.0.0.0/0 if you truly need global access.
0
votes

I had a concern of this getting exposed to public and that can be exploited by DDoS. I had to front it with API Gateway and then trust in VPC using HAProxy more details are here. http://knowmg.blogspot.com/2017/11/why-do-i-need-haproxy-in-aws-stack.html