How can I connect to an internet-facing Application Load Balancer using its internal IP addresses?
Situation:
- Multi-Account Setup using a centralized Network Account
- Within the Network Account, there is an internet-facing Application Load Balancer used for our IdP / PingFederate
- Applications hosted in AWS should connect to IdP / Application Load Balancer using its internal IP addresses
Issue:
- I am not able find a way on how to resolve the internal IP addresses of the internet-facing Application Load Balancer using a comfortable approach
What I tested:
- Utilize Route53 "Default .2 Resolver" -> Issue: It resolved only to the Public IPs of the ALB
- Created Private Hosted Zone with my IdP's URL, and create an A Record Alias to my ALB -> Issue: Again, it resolved only to the Public IPs of the ALB
- Created Private Hosted Zone with my IdP's URL, and create an A Record the internal IPs of the ALB's ENIs -> Issue: Internal IP addresses of an ALB may change, hence this is a setup where I need additional coding (e.g. running a Lambda every few minutes to update my PHZ entries)
Looking for any input that may help.
Are there any other recommendation that do not lead to additional cost of 1 * NLB per stage?
Quick update: We are now using this solution. Background: We use anyways a NLB in our setup to have static IPs for the on-prem Firewall. Now we have two communication flows. A) Internet -> ALB -> NLB (Port 444) -> On-Prem IdP; B) AWS resource -> NLB (Port 443) -> ALB -> same NLB (Port 444) -> On-Prem IdP. We utilize a Route53 Private Hosted Zone to resolve IdP domain to NLB internal IPs. Thanks Thushar!