- Newest
- Most votes
- Most comments
I have used in the past a couple of ways.
A) Create internal ALB and a private hosted zone so that internal users never see the maintenance screen because it’s on a different alb.
B) Place your maintenance rule say in position 5 and then create rules 1-4 which are based on source IPs that send traffic to the underlying target group. All other traffic defaults to rule 5.
C) In your ALB rule allow traffic which contain custom http headers. Devs would need to inject the header which similar to option B. You’d need a chrome plugin to do this.
To script it you can use multiple means. Cli, IaC, python or aws step functions to automate this.
Funnily enough having the same conversation again today. Have an option D I have not tested yet..
Use WAF to inject a header based on source IP/request host.
On your ALB, have a rule that looks for that header and bypass the maintenance screen. https://docs.aws.amazon.com/waf/latest/developerguide/customizing-the-incoming-request.html
If any of these answers are usefull, please be sure to accept to help me and others. Gary
Relevant content
- asked 2 years ago
- asked 8 months ago
- AWS OFFICIALUpdated 2 years ago
- How do I add parameters when I register an Automation task with Systems Manager maintenance windows?AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 5 months ago
Thanks for sharing Gary, solution A I considered but I have to keep many others ALBs for internal purpose only and I don't think will be simple to manage it, instead the solution B and C looks a good way, I have just to be sure my ALBs do not have rules with priority from 1 to 5 for example, so I can handle the bypass rules.