By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How to use Internal ALB with Cognito?

0

I have a private application accessible only inside the corporate network hosted on internal ALB. I would like to use Cognito to create a login page for the application. VPC is connected to the corporate network via Direct-connect and everything on the app works, but VPC itself does not have an internet gateway/NAT gateway. When I implemented cognito native auth via ALB listener, I was able to see the login page and log in to it as well using the username/password I created in the user poor. But once the auth was successful, it gave me a "500 Internal Server Error". I went through some documentation and I believe maybe it is happening because:

The load balancer must be able to communicate with the IdP token endpoint (TokenEndpoint) and the IdP user info endpoint (UserInfoEndpoint). Verify that the security groups for your load balancer and the network ACLs for your VPC allow outbound access to these endpoints. Verify that your VPC has internet access. If you have an internal-facing load balancer, use a NAT gateway to enable the load balancer to access these endpoints. For more information, see NAT gateway basics in the Amazon VPC User Guide. https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html?icmpid=docs_elbv2_console

I cannot create a NAT/internet gateway in the VPC, however internet can be accessed via corporate proxy from VPC using an interface endpoint for the corporate proxy. I am surprised AWS does not offer Cognito VPC endpoint to keep the auth mechanism within private network.

Can someone please tell me how can I use Cognito with an internal ALB to create a login page for the internal app?

Topics
Networking & Content DeliverySecurity, Identity, & ComplianceManagement & Governance
Tags
Amazon VPCAmazon CognitoElastic Load BalancingAmazon Verified Permissions
Language
English
Sushil
asked 8 months ago709 views
1 Answer
0

Unfortunately there is no private pathway to Cognito currently. Normally you would use something like VPC PrivateLink to keep the access on the AWS network, however PrivateLink doesn't integrate with Cognito (as you said).

However, when you think of about it a web application authorisation/authentication service like Cognito is designed to be available to all users of a public website to authenticate against.

If I'm reading your question correctly, then you are using the Cognito hosted login page. The fact that you are reaching the login page indicates that you have 443 access to Cognito service. I would suspect that your corporate internet access is blocking the redirection to the Cognito endpoints or some other network related issue such as the corporate proxy terminating SSL.

A work around would be to set up a PrivateLink endpoint to APIGateway and use Gateway to proxy calls to the Cognito end points.

Rob Paterson
answered 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content