Global accelerator with alb endpoint

0

I'm setting up an infrastructure that uses AWS Global Accelerator to provide static IPs for my Application Load Balancer (ALB), which handles URL redirections. I aim to follow the principle of least privilege. I'm currently debating whether to open my ALB to all traffic on ports 443 and 80 by allowing the IP range 0.0.0.0, or should I restrict it only to the IP ranges associated with Global Accelerator? Considering the ALB must be accessible by users worldwide, which approach would be best? Any insights or feedback would be greatly appreciated.

2 Answers
0

Do you mean to allow access to the ALB without going through Global Accelerator?

If yes, then you need to allow 0.0.0.0.0/0 on ports 443 and 80 that ALB is listening on.

As a side note, if you only want to allow connections via Global Accelerator, you can also set the security group created by Global Accelerator as the source. Furthermore, there is no need for ALB to be Public.

https://docs.aws.amazon.com/global-accelerator/latest/dg/secure-vpc-connections.html

https://docs.aws.amazon.com/global-accelerator/latest/dg/best-practices-aga.html

profile picture
EXPERT
shibata
answered 5 months ago
AWS
EXPERT
reviewed 5 months ago
  • In fact, I would contend that best practice is to NOT make the ALB public...

  • Thank you for your response and I used the global accelerator ip as the source and it directs traffic as intended but I did this on the console manually once I had deployed the infrastructure using terraform. How can I add the global accelerator sg itself to my ALB security group rule using terraform?

  • @Max Clements I need the alb to send logs over the internet to splunk cloud. That’s why I taught to build in public subnet. The alb is only used for redirecting traffic with listener rules configured to perform the redirection

  • There is no smart way as far as I know.

    The way that probably works is to use the fact that the name of the Global Accelerator's SG is currently fixed to GlobalAccelerator.

    After creating the Global Accelerator, use the SG data source to search for the SG name GlobalAccelerator to get its ID.

    I have never used Splunk, so I may be giving the wrong advice, but does the ALB send logs directly to Splunk?

    I don't think ALB has such a function, so for example, does EC2 use an Agent to send logs? If yes, ALB could work privately.

  • @shibata. ALB doesn't send logs directly im storing the alb access logs in an s3 bucket and invoking a lambda to send the logs from the s3 to cloudwatch log group and following this documentation in other to get the logs to splunk https://www.splunk.com/en_us/blog/tips-and-tricks/how-to-ingest-any-log-from-aws-cloudwatch-logs-via-firehose.html

0

In addition to what Shibata explained above, If EC2 is behind the ALB and the agent on EC2 sends the log to Splunk over Internet, then keeping this EC2 in a private subnet the traffic can make an exit using NAT GW to the Internet. This way you will have a static Public IP address from the AWS end which you can securely allow at Splunk side and keep this communication only within the intended source and destination.

Hope these responses to your query are helpful so far. :)

answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions