By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Internal ALB connection to VPN

0

I currently have a web app that uses an Application Load Balancer for blue-green deployments to switch between my blue and green instance of my web-server. Currently my application (through my external ALB) is open to the internet but I would like to put it behind my VPN (using Viscosity OpenVPN client). I am assuming that I will need to make it internal to do so.

Is the best way to do this to change my ALB from external to internal, Create a Virtual Private Gateway, create a customer gateway representing my vpn client, and then create a site-to-site vpn connection using those resources? I'm wondering if this is the simplest and most cost effective way to get my ALB web app behind the VPN or if there is a simpler method that I'm missing? Any advice would be much appreciated, thanks!

(Note: My VPN is being hosted on a different EC2 instance in a separate VPC in my AWS account)

Topics
Networking & Content Delivery
Tags
Networking & Content DeliveryElastic Load BalancingApplication Load BalancerVPC Virtual Private GatewayAWS Client VPN
Language
English
samjam
asked 24 days ago260 views
1 Answer
2
Accepted Answer

Your thoughts are correct and the steps you're describing are how you'd go about setting up a Site-to-Site VPN for your VPC.

What's the reason for using a VPN? Is it for private access to the rest of the VPC? I'm not saying "don't use a VPN" but the reasons for choosing this solution are not clear in the question and it is extra cost that you will have to pay.

profile pictureAWS
EXPERT
Brettski-AWS
answered 24 days ago
profile picture
EXPERT
Oleksii Bebych
reviewed 21 days ago
  • samjam
    24 days ago

    Our company has a production web app and a pre-production web app that run on separate EC2 instances. The prod app is exposed to the internet, while the pre-prod app is only accessible when on the VPN service we use. I am creating a third environment as a proof of concept to see if we can use an Application Load Balancer for our application, specifically to allow for easier blue-green deployment. I was asked to put this proof of concept behind the VPN service, just like our pre-prod service is. So I guess my larger question is what is the best way to go about doing this? Because ALB public and internal IP addresses can change frequently, I've been told it's recommended to use the DNS name instead. So I'm wondering how I get this ALB-managed application to not be accessible anywhere but from my VPN. I would love to find a solution that doesn't incur all the cost of a site-to-site VPN, but just unsure to go about it. Hope that makes my use case more clear.

  • Brettski-AWS EXPERT
    23 days ago

    What you're doing for the private ALB/application is the right thing - accessing it over a VPN is the best way to keep it private. If it were me, I'd be hosting it in a separate VPC as well - that way it would be much harder to accidentally expose it publicly.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content