By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How to connect to an internet-facing Application Load Balancer using its internal IP addresses

0

How can I connect to an internet-facing Application Load Balancer using its internal IP addresses?

Situation:

  • Multi-Account Setup using a centralized Network Account
  • Within the Network Account, there is an internet-facing Application Load Balancer used for our IdP / PingFederate
  • Applications hosted in AWS should connect to IdP / Application Load Balancer using its internal IP addresses

Issue:

  • I am not able find a way on how to resolve the internal IP addresses of the internet-facing Application Load Balancer using a comfortable approach

What I tested:

  1. Utilize Route53 "Default .2 Resolver" -> Issue: It resolved only to the Public IPs of the ALB
  2. Created Private Hosted Zone with my IdP's URL, and create an A Record Alias to my ALB -> Issue: Again, it resolved only to the Public IPs of the ALB
  3. Created Private Hosted Zone with my IdP's URL, and create an A Record the internal IPs of the ALB's ENIs -> Issue: Internal IP addresses of an ALB may change, hence this is a setup where I need additional coding (e.g. running a Lambda every few minutes to update my PHZ entries)

Looking for any input that may help.

Topics
Networking & Content Delivery
Tags
Networking & Content DeliveryElastic Load BalancingAmazon Route 53Application Load Balancer
Language
English
Andre
asked 10 days ago399 views
1 Answer
0
Accepted Answer

You can create an internal NLB and configure the ALB as the target, NLB would give you static IPs:

https://docs.aws.amazon.com/elasticloadbalancing/latest/network/application-load-balancer-target.html

profile pictureAWS
EXPERT
Tushar_J
answered 10 days ago
  • Andre
    10 days ago

    Are there any other recommendation that do not lead to additional cost of 1 * NLB per stage?

  • Andre
    9 days ago

    Quick update: We are now using this solution. Background: We use anyways a NLB in our setup to have static IPs for the on-prem Firewall. Now we have two communication flows. A) Internet -> ALB -> NLB (Port 444) -> On-Prem IdP; B) AWS resource -> NLB (Port 443) -> ALB -> same NLB (Port 444) -> On-Prem IdP. We utilize a Route53 Private Hosted Zone to resolve IdP domain to NLB internal IPs. Thanks Thushar!

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content