What's the source IP address of the traffic that Elastic Load Balancing sends to my web servers?

Short description

You can determine the IP addresses associated with an internal load balancer or an internet-facing load balancer by resolving the DNS name of the load balancer. These are the IP addresses where the clients should send the requests that are destined for the load balancer. However, Classic Load Balancers and Application Load Balancers use the private IP addresses associated with their elastic network interfaces as the source IP address for requests forwarded to your web servers. For Network Load Balancers, the source IP address of these requests depends on the configuration of its target group.

These IP addresses can be used for various purposes, such as allowing the load balancer traffic on the web servers and for request processing. It's a best practice to use security group referencing on the web server's security group inbound rules for allowing load balancer traffic from Classic Load Balancers or Application Load Balancers. However, because Network Load Balancers don't support security groups, then based on the target group configurations, the IP addresses of the clients or the private IP addresses associated with the Network Load Balancers must be allowed on the web server's security group.

Resolution

Important: The IP addresses for Classic Load Balancers and Application Load Balancers change over time. Avoid using this information to statically configure your applications to point to these IP addresses.

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

Find private IP addresses associated with load balancer elastic network interfaces using the AWS Management Console

1.    Open the Amazon Elastic Compute Cloud (Amazon EC2) console.

2.    Under Load Balancing, choose Load Balancers from the navigation pane.

3.    Select the load balancer that you're finding the IP addresses for.

4.    On the Description tab, copy the Name.

5.    Under Network & Security, choose Network Interfaces from the navigation pane.

6.    Paste the load balancer name that you copied in step 4 in the search box. The filtered results show all elastic network interfaces associated with the load balancer.

7.    For each of the elastic network interfaces in the filtered results:
Select the elastic network interface.
Choose the Details tab.
Find the interface that contains an IP address for Primary private IPv4 IP. This is the primary private IP address of the elastic network interface.

Find private IP addresses associated with load balancer elastic network interfaces using the AWS CLI

Run the following command:

aws ec2 describe-network-interfaces --filters Name=description,Values="ELB elb-name" --query 'NetworkInterfaces[*].PrivateIpAddresses[*].PrivateIpAddress' --output text

Replace elb-name with one of the following:

• For Classic Load Balancers: Name of the load balancer
• For Application Load Balancers: app/load-balancer-name/load-balancer-id
• For Network Load Balancers: net/load-balancer-name/load-balancer-id

For Application Load Balancers and Network Load Balancers, use the following command to find the load-balancer-id:

aws elbv2 describe-load-balancers --names load-balancer-name

The load-balancer-id is the last field of characters that follows the trailing slash after the load balancer's name in the ARN.