By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

ALB security group with cloudFront origin-facing prefix list ingress setting blocks target group health check for eks fargate

0

I'm trying to secure an Application Load Balancer (ALB) behind CloudFront, following this AWS official documentation: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/restrict-access-to-load-balancer.html#limit-access-to-origin-using-aws-managed-prefixes

According to the guide, I've configured my ALB's security group to only allow inbound traffic from the CloudFront origin-facing prefix list. However, once this is applied:

  • The ALB starts marking all targets as unhealthy (health checks fail, timesout).

  • My pods running in EKS Fargate no longer receive health check access logs (which they do when this restriction is removed).

This seems to imply that outbound traffic from the ALB to the targets (pods) is somehow blocked or broken when restricting ingress via prefix list.

Here’s what I’ve tried so far:

Added ingress rule to the ALB security group:

  • Allow from the CloudFront origin-facing prefix (port 443)

  • Allow from the VPC CIDR block (port 0), assuming ALB ENIs communicate internally

Unrestricted egress from the ALB security group

Despite these changes, ALB health checks still fail with timesout, and the pods do not log the incoming health check requests.

Question: What is the correct security group configuration (for ALB and/or Fargate) to both:

Enforce CloudFront-only access to the ALB, according to the doc

Allow ALB to perform health checks on EKS pods

Ensure pods can still log incoming requests from the ALB?

Any help would be appreciated — especially if this requires a different approach than the managed prefix list.

Topics
ContainersNetworking & Content Delivery
Tags
Amazon Elastic Kubernetes ServiceApplication Load BalancerSecurity Group
Language
English
profile picture
ccedil
asked 15 days ago45 views
1 Answer
5
Accepted Answer

Please take the following approach:

  1. Application Load Balancer (ALB) Security Group Configuration • Ingress Restriction for Public Traffic: Restrict inbound traffic to the ALB’s security group by allowing only HTTPS (or the specified application port) connections originating from the CloudFront origin-facing prefix list. This configuration ensures that all user requests from the internet are routed through CloudFront before reaching the ALB. • Outbound Settings: Maintain unrestricted outbound rules in the ALB’s security group, or explicitly allow traffic to the target groups. This ensures that the ALB can forward incoming end-user requests and health check probes to the backend targets without interruption.
  2. EKS Fargate Targets Security Group Configuration • Allow Health Check Traffic from the ALB: Modify the security group associated with your EKS Fargate targets to permit inbound traffic on the designated health check port(s) (e.g., 80 or 443) from the ALB’s security group. To achieve this, specify the ALB’s security group as the source for these inbound rules.

• Type: Ingress • Protocol: TCP • Port: (Configured health check port, e.g., 80 or 443) • Source: [Security group assigned to the ALB]

EXPERT
Kidd Ip
answered 15 days ago
  • ccedil
    14 days ago

    WOW! it works!! thank you!!!!!

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content