Do Internal AWS ELB ip addresses change

3
votes

If I have the following VPC in AWS:

10.0.0.0/16 and I provision an application load balancer (internal) and AWS selects the following ip addresses for me 10.0.0.9 and 10.0.0.12 inside the subnets I choose.

Question: Do the internal addresses (10.0.0.9 and 10.0.0.12) that are picked ever change for the life of the load balancer?

I understand if I delete the load balancer, it will pick new ones. I also understand that an internet application load balancer IP changes regularly (and thats why people use Network load balancers for static ips) but not much is said about the private internal ips associated with the load balancers.

Any information would be great.

3
amazon-web-servicesamazon-elb
Why do you want to know this? It seems there's a different question that you're not asking but should be.kdgregory
@kdgregory whitelist for firewallSim
OK, and the follow-on would be "why are security groups not sufficient?"kdgregory
But I guess you've got the answer you wanted. Incidentally, if for some reason you do need on-host firewall rules, I would recommend putting your load balancers into their own public subnet, then allowing traffic from the entire subnet.kdgregory
I can think of a few, but they're rarely good ones. Many if not most people who come here asking for detailed information without context are thinking of one of the bad solutions (aka an "x-y" problem: they ask about X but they really want to do Y). Thus my questions, which would have made your question easier to give a good answer.kdgregory

3 Answers

4
votes

Yes, they could change for application load balancers.

As the application load balancer scales with traffic it will "launch" more instances behind the scenes and use more IPs in your subnets (ENI creation). You don't see those instances in the console but you can have a look at the elastic network interfaces in the console. When it scales down, it's not guaranteed that you get the same IPs. This is why you always need some free space in the subnets used by your application load balancer.

Network load balancers have static private IPs (one ENI per availability zone). Those can be used in the security group of your instances, see Target Security Groups.

1
votes

Yes it may change with thin the range provided... when more instanaces are launched if ASG is configured or without it due to increased load on the application, there can be more IPs used instead of old ones and it is in the range of your Subnet parameters.

1
votes

I'm looking for a way to allow private traffic over the public ELB for inter-region communication between the workers. One way to do this is by checking the private IPs from the ELB frequently and update the DNS record. Getting the private IPs is possible with the CLI:

aws ec2 describe-network-interfaces --region "us-west-1" --filters Name=requester-id,Values='amazon-elb' | jq -r '.NetworkInterfaces[].PrivateIpAddresses[].PrivateIpAddress'

Will give you back a list of used IPs (number depends on the amount of availability zones selected when creating the loadbalancer).

Next step would be to update this in Route53 when changed.

Lambda might be an idea to do this but I noticed that getting these ips takes some time and it sometimes even hit the 3 seconds timeout of lambda. So looking for a better way to do this.