possible to whitelist ip for inbound communication to an ec2 instance behind an aws load balancer?

Question

I have a single ec2 instance running a website behind an elastic load balancer in aws. Mainly because I want to use Amazon's new and free ssl for https.

my challenge is, I need to whitelist my IP address in the security groups so that I am the only person that can see this website (and I can selectively add people as needed).

I've successfully whitelisted my IP address without a load balancer. my challenge is white listing my IP address with the load balancer proxy between my IP address and my ec2 instance.

it appears as if my ec2 instance will not register with the load balancer because the security group for my ec2 does not allow incoming traffic from any IP address except for my own.

I am looking for a way for my load balancer to be able to health check my ec2, yet only allow specific whitelisted ips actually see the website.

Mark B Mark B · Accepted Answer · 2016-09-04T19:07:16

If you are using a VPC (which you really should be) then you will have a Security Group attached to the load balancer. That's where you will whitelist IP addresses. The EC2 server just needs to whitelist the Load Balancer's security group.

You can visualize it like this:

Your IP -> Security Group 1 -> Load Balancer -> Security Group 2 -> EC2 Instance(s)

Security Group 1 verifies the IP address is on the whitelist, and allows the traffic through to the load balancer. The Load Balancer sends the traffic along to one of the instances in the pool. Security Group 2 verifies that the traffic is coming from something that belongs to Security Group 1 (the load balancer), which has been whitelisted, and allows it to pass through to the EC2 instance.

possible to whitelist ip for inbound communication to an ec2 instance behind an aws load balancer?

2 Answers