By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Restrict access to application behind ALB

0

We are searching appropriate VPN implementation to provide access to applications behind Application Load Balancer (ALB) only for internal team. We are using internet-facing ALB which exposes several applications like backend API (for CloudFront distribution) and others based on EC2 instances. We have already implemented Client VPN with routing via NAT gateway with Elastic IP address and make filtering by ALB rules based on Host path (DNS provider: DNS records of applications are pointing to ALB) and IP address (Elastic IP address from NAT GW). It means that our developers establish connection with Client VPN which has static outbound IP address. When they try to access applications, ALB checks Host path and IP address then proceed requests. It works correct for full tunnel mode but not with split-tunnel. Is there solution or additional configuration we have to setup to be able using split-tunnel?

Topics
Networking & Content DeliveryMicroservices
Tags
Amazon VPCNetworking & Content DeliveryElastic Load BalancingMicroservicesApplication Load Balancer
Language
English
skuzmich
asked a year ago765 views
1 Answer
0

ALB and CloudFront IP addresses are dynamic and can change. The ip address ranges are documented here (ALB IPs fall under EC2). You could add the routes for the services to the split-tunnel route table. I would recommend creating a private ALB to access the services so that you can control the range of IP addresses.

profile pictureAWS
AWS-James-Devine
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content