3
votes

I have a single ec2 instance running a website behind an elastic load balancer in aws. Mainly because I want to use Amazon's new and free ssl for https.

my challenge is, I need to whitelist my IP address in the security groups so that I am the only person that can see this website (and I can selectively add people as needed).

I've successfully whitelisted my IP address without a load balancer. my challenge is white listing my IP address with the load balancer proxy between my IP address and my ec2 instance.

it appears as if my ec2 instance will not register with the load balancer because the security group for my ec2 does not allow incoming traffic from any IP address except for my own.

I am looking for a way for my load balancer to be able to health check my ec2, yet only allow specific whitelisted ips actually see the website.

2
Are you using a Classic LB or VPC loadbalancer?error2007s
vpc load balanceruser1709076

2 Answers

8
votes

If you are using a VPC (which you really should be) then you will have a Security Group attached to the load balancer. That's where you will whitelist IP addresses. The EC2 server just needs to whitelist the Load Balancer's security group.

You can visualize it like this:

Your IP -> Security Group 1 -> Load Balancer -> Security Group 2 -> EC2 Instance(s)

Security Group 1 verifies the IP address is on the whitelist, and allows the traffic through to the load balancer. The Load Balancer sends the traffic along to one of the instances in the pool. Security Group 2 verifies that the traffic is coming from something that belongs to Security Group 1 (the load balancer), which has been whitelisted, and allows it to pass through to the EC2 instance.

0
votes

I was able to solve the issue, by changing the security group of the EC2 to allow incoming http connections on port 80 from the security group assigned to my load balancer.

and then my load balancer itself allows incoming HTTP traffic on port 80 from anywhere.

so I guess the trick here is, you can allow incoming connections from an IP or a security group.