Restrict Access to Your Elastic Beanstalk Domain While Using an ALB

0

I'm hosting an application on AWS Elastic Beanstalk (EB) in a private subnet. The security group (sg-1) for EB is configured to block all public access, which works as expected when I try to access the EB default URL from the public internet—it's blocked.

Now, I've added an external Application Load Balancer (ALB) to the setup. I updated the security group (sg-1) to allow access only from the ALB's private IP range (e.g., 15.0.1.1/16). When I access the application via the ALB's domain URL, it works fine.

However, the issue is that the EB default URL is still accessible from the public internet, even though I restricted the security group to only allow access from the private IP range. what might the reason behind it is there is anything configured wrong form my side ?

Note: The application is hosted across a minimum of two availability zones.

How can I ensure that the application hosted on EB is only accessible through the ALB and not directly via the EB default URL?

3개 답변
1
수락된 답변

Hello,

Incorrect Security Group Configuration:

  • Double-check inbound rules: Ensure that the security group (sg-1) only allows traffic from the ALB's private IP range on port 80 (or 443 for HTTPS).

Follow this document: https://trycatchdebug.net/news/1367145/elasticbeanstalk-alb-access-restriction

profile picture
전문가
답변함 5달 전
profile picture
전문가
검토됨 5달 전
1

On a side note, 15.0.*.* are not private IP addresses. They are public IPs, registered in this case to HP Inc. (https://search.arin.net/rdap/?query=15.0.0.0).

For your VPC's IPv4 addressing, you should normally use IP addresses reserved for private use in RFC 1918. They include these ranges:

  • 10.0.0.0/8 (=10.0.0.0 through 10.255.255.255)
  • 172.16.0.0/12 (=172.16.0.0 ... 172.31.255.255)
  • 192.168.0.0/16 (=192.168.0.0 ... 192.168.255.255)

For example, 10.15.0.0/16 or 10.15.192.0/20 would be valid private IP ranges for your VPC, but 15.anything is not. There's more detailed discussion and advice in this documentation article: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-ip-addressing.html

전문가
답변함 5달 전
profile picture
전문가
검토됨 5달 전
  • All those IPs are valid, but they're not Elastic IPs, so they can't be used to route traffic directly to the public internet. To access the internet, you'll need a NAT Gateway or an instance with an Elastic IP. While you can choose any IP range, I as well recommend using RFC 1918 ranges for internal IPs. Its also stated in the documentation Leo shared: We refer to private IP addresses as the IP addresses that are within the IPv4 CIDR range of the VPC. Most VPC IP address ranges fall within the private (non-publicly routable) IP address ranges specified in RFC 1918; however, you can use publicly routable CIDR blocks for your VPC. Regardless of the IP address range of your VPC, we do not support direct access to the internet from your VPC's CIDR block, including a publicly-routable CIDR block. You must set up internet access through a gateway; for example, an internet gateway, virtual private gateway, a AWS Site-to-Site VPN connection, or AWS Direct Connect.

  • That's only half the story. When you use public IP addresses belonging to someone else in your VPC, those same IPs will be permitted on the public internet and accepted as such by AWS's services. IP address restrictions, addresses reflected in logs, and so on will consider the public IP addresses as valid when used by their legitimate holder, whenever they appear outside the VPC where they are configured as local. Also, using someone else's IPs as internal ones effectively prevents them from connecting to resources inside the VPC, so it is not correct to consider such use as "valid".

  • thanks for info , it helps

1

Adding some possible solutions in addition to NARRAVULA's comment.

Solution:

  1. Use a Private EB Environment: Host your EB environment in a private subnet with a private ELB. You can follow the guide here.
  2. Restrict Security Groups: Configure your EB security group to only allow traffic from your custom ALB. See the documentation. (+1 NARRAVULA, double check this)

Additionally, for your EB environment in a private subnet, to reach internet you can use a NAT Gateway in a public subnet or VPC interface endpoints. Learn more about setting up NAT Gateways and interface endpoints.

These steps will ensure your application is only accessible through your custom ALB.

AWS
답변함 5달 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠