By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Using a single Elastic IP and routing on FQDN with UDP requests

0

Hello, I am working on an application that will be accessed by companies that often have strict firewall rules. To allow access they often want to allow outgoing access only by IP or CIDR block and not wildcard URL (they wont do *.example.com). In order to simplify the deployment for client we would like to give them a limited set of IP addresses.

  • We are looking for a way to take a single IP and configure it for our entire route53 hosted zone.
  • Then route traffic based on FQDN. So that
    • abc.example.com goes to a specific target group (or ec2 instance)
    • xyz.example.com goes to a different target group (or ec2 instance)
  • We would also like to keep the source IP in the routed request.

Normally we would use an ALB to route these based on FQDN. However some of these requests will be over UDP which ALB does not support. We also want to limit the port usage so balancing on different ports instead of subdomains is not an ideal option.

  • Is there a way to use the network load balancer and route traffic based on FQDN?
  • Since I don't need load balancing is there a simple way to route incoming TCP/UDP requests to a specific ec2 instance that I am missing?
    • Can this be done with a network interface or AWS firewall and basic routing rules?
Topics
Security, Identity, & ComplianceNetworking & Content Delivery
Tags
AWS Network FirewallAmazon Route 53Domain Name System (DNS)Network Load Balancer
Language
English
AWS-User-2890305
asked 2 years ago523 views
2 Answers
0

Hello

You can use ALB and NLB, As we do not have the rules for the for NLB we can use ALB for the redirecting to targets. Here is the flow

Please check the example design look ALB and NLB only https://miro.medium.com/max/700/1*YuG-jq-PGFfiHlsI7daA2w.png

Configuration:

  • Create First Target Group --> as EC2 instances can be used for the ALB
  • Crate Second target Group --> as target ALB
  • Create Application Load balancer and assign target group **First Target Group ** thease are your EC2
  • Create Network Load balancer to manager the traffic of UDP/TCP and assign target group Second target Group this is ALB
  • If you would like to add rules based on path or Host based you can use ALB

Please let me know if you have any questions

Thank You GK

profile picture
GK
answered 2 years ago
0

Thanks for your suggestion. In your diagram when the UDP traffic comes in through the IGW, the ALB will handle that UDP traffic before going to the NLB? Do you have any documentation on the ALB handling UDP traffic as everything I have read lists that as a limitation. If that is the case I don't even need a NLB, but my entire problem was that the NLB could not do host based routing and that the ALB could not route UDP traffic.

I don't even need a load balancer as much as I just need basic routing rules. I want to have

  • abc.example.com
  • def.example.com
  • ghi.example.com

Today they route to

  • abc.example.com -> route53 -> ec2 random aws public IP
  • def.example.com -> route53 -> different ec2 different public IP
  • ghi.example.com -> route53 -> third different ec2 different public IP

What I want is

  • abc.example.com -> route53 -> elastic IP
  • def.example.com -> route53 -> same elastic IP as above
  • ghi.example.com -> route53 ->same elastic IP as above

In a non-cloud world I would have all of those as my local ISP provided IP address. Then in my firewall I would assign requests to

  • abc.example.com -> internal IP 1 (and allow port rules)
  • def.example.com -> internal IP 2 (and allow port rules)
  • ghi.example.com -> internal IP 3 (and allow port rules)

So I am using 1 public IP and handling the mapping. I feel like this should be a very easy thing to configure, but I cant figure it out.

AWS-User-2890305
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content