Blocking all traffic except from ELB security groups, nginx responds with 502

0
votes

I hope you can help me. I have succesfully configured an ELB attached to two ec2 instances. ELB listens on port 443 and forwards to port 80.

Everything works as expected.

What I want to achieve now is to block all traffic to the ec2 instances except the one coming from the ELB.

I have a created a new security group:

Accept all from sg-xxxxx

Where sg-xxx is the security group of the ELB which is set to:

Accept HTTPS from 0.0.0.0/0 | 0:*

I go the ec2 instance, remove the default SG and assign the newly created SG to accept traffic only from the ELB (networking, assign security group) server responds with:

<html>

<head>
    <title>502 Bad Gateway</title>
</head>

<body>
    <center>
        <h1>502 Bad Gateway</h1>
    </center>
    <hr>
    <center>nginx/1.15.8</center>
</body>

</html>

What am I doing wrong?

Thank you for any help!

1
amazon-web-servicesnginxamazon-elb
What 0.0.0.0/10 is supposed to mean? Maybe you wanted 0.0.0.0/0 for your ELB?Marcin
@Marcin, typo, edited, thanks0plus1
Your instances are reachable as it is nginx/1.15.8 responding, not ELB with the error. Thus i would look at nginx? Maybe your app stopped running?Marcin
I don't know. nginx should produce some logs. Maybe they provide some useful info?Marcin
At the risk of asking the obvious, what if it's not the presence of the new security group, but the absence of the old one, that's causing the problem? Something else -- such as an external database or server -- is trusting this EC2 instance based on its membership in the old SG that you are removing. Disconnecting it breaks the application, resulting in the error.Michael - sqlbot

1 Answers

0
votes

The recommended configuration would be:

  • A security group on the Load Balancer (LB-SG) with:
    • Inbound rules: ports 80 and 443 from 0.0.0.0/0
    • Outbound rules: Allow all traffic
  • A security group on each Amazon EC2 instance (App-SG) with:
    • Inbound rules: port 80 from LB-SG
    • Outbound rules: Allow all traffic

That is, the App-SG should accept inbound traffic from LB-SG by referencing the other security group.

It is recommended to always allow all outbound traffic, since applications running on your own instance should be "trusted" unless you specifically want to lock-down security.