Correct way to define ALB and the security groups needed in CF Template

0

I am trying to get a handle on how to you define an ALB, its Listeners, Target group and Security groups in a CF Template. So I wrote out this sudo code listing. Is this correct if the ALB is Internal, listening on port 443 for traffic and sending that traffic to port 80 on the instance webserver?

  • ALB
  • Properties:
    
  •     Type: internal
    
  •     Listener: 80
    
  •     Listener: 443
    
  •     Subnets
    
  •     SecurityGroups
    
  •     LBAttributes
    
  • ALBListener80
  • Properties:
    
  •     Reference: ALB
    
  •     Port: 80
    
  •     Redirect rule to port 443
    
  • ALBListener443
  • Properties:
    
  •     Reference: ALB
    
  •     Port: 443
    
  •     SSL Policy
    
  •     Certificate
    
  •     Forward rule to ALBTarget80
    
  • ALBTarget80
  • Properties:
    
  •     Port: 80
    
  •     VPCid
    
  •     TargetgroupAttributes
    
  •     Registered instance(s)
    
  •     Healthcheck
    
  •     Check port 80
    
  • ALBSecurityGroup
  • Ingress rules:
    
  •     Allow port 80 from VPC CIDR
    
  •     Allow port 443 from VPC CIDR
    
  • Egress rules:
    
  •     Allow port 80 to InstanceSecurityGroup
    
  •     Allow port 443 to InstanceSecurityGroup
    
  •     Allow All traffic to 127.0.0.1/32
    
  • InstanceSecurityGroup
  • Ingress rules:
    
  •     Allow port 80 from VPC CIDR
    
  •     Allow port 443 from VPC ALBSecurityGroup
    
  • Egress rules:
    
  •     Allow all to 0.0.0.0/0
    

Am I looking at this correctly?

asked a year ago257 views
1 Answer
0
Accepted Answer

Hi, that's roughly right.

Your ALBSecurityGroup only needs egress on port 80 to the InstanceSecurityGroup.

Your InstanceSecurityGroup only needs ingress on port 80 from the ALBSecurityGroup.

Your InstanceSecurityGroup doesn't need any egress rules for this purpose, but may need some to support its functionality.

EXPERT
answered a year ago
profile pictureAWS
EXPERT
reviewed a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions