Missing Global Accelerator source IPs?

0

Hi,
I have a Global Accelerator endpoint that routes traffic through a Network Load Balancer to a group of EC2 instances. Since I only want to accept traffic from Global Accelerator I want to whitelist the Global Accelerator source IPs as described in https://docs.aws.amazon.com/global-accelerator/latest/dg/introduction-ip-ranges.html
and block everything else.

I have, however, noted that there are incoming requests to the EC2 instances from Global Accelerator in the in interval of
13.248.100.0/24 that is not tagged with GLOBALACCELERATOR in the aforementioned document.

Could it be an error in https://ip-ranges.amazonaws.com/ip-ranges.json?

Thanks,
Anders

asked 4 years ago173 views
7 Answers
1

Starting today, your applications running on Application Load Balancers (ALB) fronted by AWS Global Accelerator can see the original source IP address of the client. This enables you to apply client-specific logic such as IP address or location-based filters by using AWS WAF, as well as gather connection statistics and serve personalized content for your applications. Additionally, you can front an internal ALB with Global Accelerator. This lets you use Global Accelerator as the single internet-facing access point while keeping your ALB private and protecting your applications running on AWS from distributed denial of service (DDoS) attacks. For existing ALBs configured behind an accelerator, we recommend to transition slowly to use this feature. Find out more about how to enable this feature for existing ALB endpoints in this documentation: https://docs.aws.amazon.com/global-accelerator/latest/dg/about-endpoints.transition-to-IP-preservation.html. Also, you can refer to Jeff Barr's blog post here: https://aws.amazon.com/blogs/aws/new-client-ip-address-preservation-for-aws-global-accelerator/

answered 3 years ago
1

Hello, that is great news for ALB. Unfortunatly we do use NLB with our own SSL services (since we have many certificates). Using global accelerator prevent us to block rogue web scraper / bots / brute force attacks .....

So the importance of Preserving the IP Address is kind of critical. This would allow us to reduce cloud cost to (ie: not pay for bandwith of rogue scanners?)

answered 3 years ago
0

Hi Anders,

You're right. The IP prefix you've listed is in use by Global Accelerator edge severs but is labeled incorrectly in ip-ranges.json. After performing an audit I see this is the case for a number of other IP prefixes as well. Global Accelerator is frequently expanding its edge location footprint and allowed the published list to get out of sync. We'll get this corrected and I'll follow up with an ETA.

I'd also like to understand your use case a little better. A frequently requested feature is for Global Accelerator to preserve the client IP address on IP packets that are received by your endpoints behind the accelerator, such as your NLB. This means Security Group rules would apply to the actual client IP address. If that feature were available, would you still wish to restrict access to receiving traffic only from Global Accelerator edge servers?

Thanks,
Harvo

answered 4 years ago
0

Hi Harvo,
and thanks for the fast reply. I am looking forward to the updated version of ip-ranges.json.

Our use case assumes that there are clients connecting from arbitrary locations, so security group rules based on client IP wouldn't be our case. We would still want to restrict access to receiving traffic only through Global Accelerator, in one way or another.

Thanks,
Anders

answered 4 years ago
0

Hi Anders,

The prefix 13.248.100.0/24 is now properly associated with the service GLOBALACCELERATOR in ip-ranges.json. It was the only missing IP prefix, I was wrong when I assumed more were missing.

Thanks, and let us know if you have further questions.
Harvo

answered 4 years ago
0

Yeah! We need the feature to block client actual IP address on security group.

answered 3 years ago
0

We are pleased to announce that starting today, your applications running on Amazon EC2 instances can be directly fronted by AWS Global Accelerator. Before, you needed to use an Application Load Balancer, Network Load Balancer, or Elastic IP address to front an EC2 instance with Global Accelerator. Now, you can use Global Accelerator directly as your single internet-facing access point for your EC2 instances, improving availability and performance of applications with local or global users.

To front an EC2 instance with Global Accelerator, you simply create an accelerator and add the EC2 instance as an endpoint using the EC2 instance ID. To control what internet traffic reaches your EC2 instance, we recommend you use security groups in your Amazon Virtual Private Cloud. Additionally, Global Accelerator preserves the source IP address of the client all the way to the EC2 instance, which enables you to apply client-specific logic and serve personalized content for your TCP and UDP applications.

Edited by: awsmarcoc on Oct 29, 2019 5:17 PM

answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions