- Newest
- Most votes
- Most comments
Do you mean to allow access to the ALB without going through Global Accelerator?
If yes, then you need to allow 0.0.0.0.0/0 on ports 443 and 80 that ALB is listening on.
As a side note, if you only want to allow connections via Global Accelerator, you can also set the security group created by Global Accelerator as the source. Furthermore, there is no need for ALB to be Public.
https://docs.aws.amazon.com/global-accelerator/latest/dg/secure-vpc-connections.html
https://docs.aws.amazon.com/global-accelerator/latest/dg/best-practices-aga.html
In addition to what Shibata explained above, If EC2 is behind the ALB and the agent on EC2 sends the log to Splunk over Internet, then keeping this EC2 in a private subnet the traffic can make an exit using NAT GW to the Internet. This way you will have a static Public IP address from the AWS end which you can securely allow at Splunk side and keep this communication only within the intended source and destination.
Hope these responses to your query are helpful so far. :)
the alb isn't behind an ec2. The alb is simply used for redirects has no backend config. A lambda wraps the CW logs as a Splunk HEC Event in json and its sent to Splunk cloud via kinesis firehouse
Relevant content
- asked 9 months ago
- asked 6 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
In fact, I would contend that best practice is to NOT make the ALB public...
Thank you for your response and I used the global accelerator ip as the source and it directs traffic as intended but I did this on the console manually once I had deployed the infrastructure using terraform. How can I add the global accelerator sg itself to my ALB security group rule using terraform?
@Max Clements I need the alb to send logs over the internet to splunk cloud. That’s why I taught to build in public subnet. The alb is only used for redirecting traffic with listener rules configured to perform the redirection
There is no smart way as far as I know.
The way that probably works is to use the fact that the name of the Global Accelerator's SG is currently fixed to
GlobalAccelerator
.After creating the Global Accelerator, use the SG data source to search for the SG name
GlobalAccelerator
to get its ID.I have never used Splunk, so I may be giving the wrong advice, but does the ALB send logs directly to Splunk?
I don't think ALB has such a function, so for example, does EC2 use an Agent to send logs? If yes, ALB could work privately.
@shibata. ALB doesn't send logs directly im storing the alb access logs in an s3 bucket and invoking a lambda to send the logs from the s3 to cloudwatch log group and following this documentation in other to get the logs to splunk https://www.splunk.com/en_us/blog/tips-and-tricks/how-to-ingest-any-log-from-aws-cloudwatch-logs-via-firehose.html