By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Maintenance Page for ALB with IP bypass for internal access

0

Hi All, I have many ALBs and I would implement an automation script to put it on and put it off a custom maintenance page on a single ALB when needed.

I tried adding a custom rule in the listener with priority 1 and forwarding the traffic to a target group where there is an EC2 with my maintenance page, anyway I am not able to create a rule for skip/bypass our public IPs used by Developers team to test before disabling the maintenance page.

The problem is also that I have many ALBs with more than one rules, and is not possible to handle it via the rules and priorities of the listener.

Do you have any idea to achieve this result? Any suggestion or best practices based on your experience about the maintenance or courtesy page management on an high layer like ALB of AWS?

I also see Route53 IP-based policy (actually it allows from /24 CIDR) and WAF rules policy (applied on all the ALBs, not sure if possible handle singularly with same policy using some criteria like Host domain).

Topics
Security, Identity, & ComplianceNetworking & Content Delivery
Tags
AWS WAFElastic Load BalancingAmazon Route 53
Language
English
ingmarcofilippini
asked 5 months ago217 views
2 Answers
1

I have used in the past a couple of ways.

A) Create internal ALB and a private hosted zone so that internal users never see the maintenance screen because it’s on a different alb.

B) Place your maintenance rule say in position 5 and then create rules 1-4 which are based on source IPs that send traffic to the underlying target group. All other traffic defaults to rule 5.

C) In your ALB rule allow traffic which contain custom http headers. Devs would need to inject the header which similar to option B. You’d need a chrome plugin to do this.

To script it you can use multiple means. Cli, IaC, python or aws step functions to automate this.

profile picture
EXPERT
Gary Mclean
answered 5 months ago
  • ingmarcofilippini
    5 months ago

    Thanks for sharing Gary, solution A I considered but I have to keep many others ALBs for internal purpose only and I don't think will be simple to manage it, instead the solution B and C looks a good way, I have just to be sure my ALBs do not have rules with priority from 1 to 5 for example, so I can handle the bypass rules.

0

Funnily enough having the same conversation again today. Have an option D I have not tested yet..

Use WAF to inject a header based on source IP/request host.

On your ALB, have a rule that looks for that header and bypass the maintenance screen. https://docs.aws.amazon.com/waf/latest/developerguide/customizing-the-incoming-request.html

If any of these answers are usefull, please be sure to accept to help me and others. Gary

profile picture
EXPERT
Gary Mclean
answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content