Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Private Subnet to Internet-facing ALB

0

Let's say I have a VPC, there are 3 subnets - 2 private and 1 public. I have a service "A" in private subnet 1 and another service "B" in the other private subnet 2. For this service B, I have a internet-facing load balancer in the public subnet. This ALB is restricted and only allows certain whitelisted IPs. Now, the service "A" has to reach service B via the ALB, how can I do so? Can I directly whitelist the private IP of service A in the ALB will that work? or Do I need a NAT Gateway ? If so, then why? as they are all in the same VPC.

Topics
Networking & Content DeliveryAWS Well-Architected Framework
Tags
Amazon VPCElastic Load BalancingNetworking & Content DeliverySecurity
Language
English
asked 10 months ago439 views
1 Answer
0

To enable service A in private subnet 1 to reach service B through the internet-facing ALB in the public subnet, you have a few options:

  1. Direct private IP communication: Since both services are in the same VPC (though different private subnets), service A can directly communicate with service B using private IP addresses without going through the ALB. This is the most efficient approach for internal communication.

  2. Using the ALB's private IP or DNS name: If you specifically need service A to communicate with service B through the ALB (for load balancing or other features), you can use the ALB's private DNS name or IP for internal communication. The ALB can handle traffic from within the VPC without requiring the traffic to go out to the internet and back.

  3. Whitelisting service A's private IP: If you want service A to access service B through the ALB's public endpoint, you would need to whitelist service A's source IP in the ALB's security group. However, this approach has a complication - when service A tries to reach the ALB's public endpoint, the traffic would need to leave the VPC and come back in through the internet gateway.

For the third scenario, you would need a NAT Gateway in the public subnet. This is because resources in private subnets don't have direct internet access. The NAT Gateway would allow service A to initiate outbound connections to the internet, and the traffic would appear to come from the NAT Gateway's Elastic IP address. You would then need to whitelist this Elastic IP in the ALB's security group.

The NAT Gateway is necessary in this case because even though all resources are in the same VPC, accessing the ALB's public endpoint requires internet connectivity, which private subnets don't have by default. The NAT Gateway translates the private IP address of service A to a public Elastic IP, allowing it to communicate with internet-facing resources.

However, for communication between services within the same VPC, the recommended approach is to use private IP addresses or internal ALBs rather than routing traffic through the internet.
Sources
how to provide static ip address for external system to whitelist my ec2 in private subnet ip address in aws? | AWS re:Post
NAT gateway connection in Local Zones - AWS Local Zones

answered 10 months ago
EXPERT
reviewed 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content