By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Block public access to NLB

0

Hi Team, I have an ecs cluster behind network load balancer, I want to block internet access to the NLB and allow only my client's domain("xyz.com") which points to cloudfront distribution.

  • I am not able to achieve this using Security group rules as it doesn't support whitelisting domain names. It expects IP addresses.
  • AWS WAF supports only application load balancer so not able to use that either.

Can you please help me with a way to achieve it. Thanks in advance

Topics
Security, Identity, & ComplianceNetworking & Content Delivery
Tags
AWS WAFAmazon CloudFrontNetwork Load Balancer
Language
English
Saikumar
asked 10 months ago889 views
2 Answers
0

Configure the ECS security group to allow only the CloudFront IP address and VPC CIDR (for health check) in the ECS security group using the CloudFront managed prefix.
By setting this up, it is possible to limit the health checks from NLB and connections from CloudFront only.
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/LocationsOfEdgeServers.html#managed-prefix-list
https://aws.amazon.com/about-aws/whats-new/2022/02/amazon-cloudfront-managed-prefix-list/?nc1=h_ls

Also, please enable "Client IP preservation" in the NLB settings when configuring this setting.
If this is not enabled, access to the ECS will be to the NLB IP address, which cannot be properly evaluated by the security group.
https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-target-groups.html#client-ip-preservation

profile picture
EXPERT
Riku_Kobayashi
answered 10 months ago
  • Saikumar
    10 months ago

    I tried implementing the same, I have whitelisted my cloudFront managed prefix list from sg and vpc cidr, and also enabled client IP preservation in NLB. The client is not able to access the server in this case

0

If you want to restrict access to your Network Load Balancer (NLB) based on a domain name rather than an IP address, you can use an AWS Lambda function in conjunction with your NLB. Here's a high-level approach to achieve this:

Create an AWS Lambda Function: Develop an AWS Lambda function that performs the desired domain name validation. This function will be responsible for allowing or blocking traffic based on the domain name. Configure the Lambda function to extract the domain name from incoming requests. Integrate Lambda with NLB:

Configure your NLB to forward incoming requests to the Lambda function using target group rules. This allows the Lambda function to inspect and process the requests. Implement Validation Logic:

In the Lambda function, implement the necessary logic to validate the domain name. If the domain name matches the allowed domain ("xyz.com"), allow the request to proceed. If the domain name does not match the allowed domain, return an appropriate response to block the request. By utilizing an AWS Lambda function, you can perform custom domain name validation and control access to your NLB accordingly. This approach enables you to restrict access based on the domain name instead of IP addresses.

Regenerate

profile picture
Nikunj Patel
answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content