AWS NLB to ALB IP Whitelisting

3
votes

I've implemented this solution provided by AWS: Using static IP addresses for Application Load Balancers but I came across a problem.

I need to whitelist some static IP's and since this solution requires for the targets to communicate to IP's instead of instances, the IP Preservation is not done on the NLB as mentioned here: Target Groups for Your Network Load Balancers.

So, I can't really do a whitelist neither on the Security Groups nor on the NACLs.

Does anyone have a solution to this problem while maintaining this architecture?

1
amazon-web-servicesnetworkingamazon-elbnlbamazon-alb
After speaking with an AWS TAM and AWS solution artchitect, possible solution is to use AWS Global Accelerator. This acts as basically a "cloudfront proxy" to the ALB. Another "solution" is to put a haproxy instance inbetween the NLB and ALB, use Proxy Protocol on to from the target group at the NLB to haproxy, and have haproxy set X-Forwarded-For before sending on the the ALB. At the ALB, use AWS WAF to parse X-forwarded-for as a quasi-security whitelist. While that may work, it is such a rube goldberg solution as not to be a stack overflow "answer."Electrawn
Another potential solution is to use Nginx+ in front of a single load balancer. Nginx+ can whitelist IP's as well as preserve the IP addresses in X-forwarded for and can be dynamically updated on the fly without a restart. Might not be the right solution but that might be another way to skin the cat. Worth a look imoMichael Quale

1 Answers

0
votes

Have you checked out the section The steps the Lambda function takes in the article that you have mentioned here Using static IP addresses for Application Load Balancers?

You can get the IPs to whitelist from AWS S3 bucket as well as AWS CloudWatch stream. You can even automate the process of updating the Security Group inbound and outbound rules either by updating the same AWS Lambda function or by creating your own and using AWS SDK API calls like authorize_security_group_ingress() and revoke_security_group_ingress() via a Lambda function triggered on Object upload (new IP list) on S3.