- Newest
- Most votes
- Most comments
If you need to keep your ALB private, you must add another public resource to make it reachable from the internet and forward traffic to your ALB. I suggest using API Gateway.
How do I integrate an API Gateway REST API with an Application Load Balancer?
If you can modify your private ALB to be public, you can restrict access by allowing only your trusted public and private IPs.
Another option is to use Global Accelerator to make your ALB available on internet. Use security groups to limit inbound access to the third party source IP. Refer to the linked blog post for more information
my understanding by given scenario is:- application resides in private subnet in your VPC where ALB is load balancing and it is private and only authorized third party is allowed,** POST request need allow**.
NLB: here need something public facing that allow authorized public IP in your case third party POST request. need to configure the NLB to forward traffic to the private ALB.
NLB Security Group: allow inbound traffic from specific third -party public IP's on port (port should match the application's port) outbound traffic to private ALB
private ALB Security Group: allow inbound traffic from NLB's Security Group. allow outbound traffic to application instances' security group.
application instances security group: allow inbound traffic from ALB Security Group.
if you clarify the architect, are they using WAF? than need to create rule to allow POST request.
Relevant content
- asked 2 years ago
- asked a year ago
- AWS OFFICIALUpdated a year ago
Is this not possible with a public ALB?
Yes, it is. If you can switch to a public ALB, you will need to restrict the ALB security group to allow only the needed IPs (for security reasons, if needed). To allow communication between your public ALB and private subnets, you must attach your ALB to a public subnets within the same AZ than your private subnets. Public LB with private subnets