If the sites are not mapped to different ports on the host you'll need some form of layer 7 filtering.
You could achieve this with AWS Web Application Firewall, but this requires integration with a load-balancer. If this is cost prohibitive, you'd need to restrict access in the vhost config, e.g. for Apache, https://httpd.apache.org/docs/2.4/howto/access.html
[editing in light of further info in comments]
Adding an additional ENI and binding the vhost to this will enable you to implement the desired policy as you describe, e.g. for Apache, https://httpd.apache.org/docs/2.4/bind.html
Another option is change the FQDN IP address from Public IP address to private/internal IP address. This way the website will be accessible only to internal network Please suggest
That's possible, but you'd want to validate the security of this, i.e. the web server won't respond to GETs to the 'private' site from the public IP (security by obscurity is no security at all). If the data is sensitive, it shouldn't sit on or be directly accessible from an internet-facing machine.
Be mindful of bridging private and public networks. The risk of web server compromise (from other public access) should be acknowledged in relation to private connections - this may already be handled by existing controls/policy on the backend, but clients connecting to the private site should understand this is an internet-facing machine. Same from a data-leakage perspective (compromise of public site -> exfiltration of private-site data).
You will probably want to make use of Network Access Control Lists (NACL) here. Unlike Security Groups, NACLs are stateless and allow you to block/allow inbound/outbound traffic separately. You can block on specific IP or CIDR range also. See following: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html
- asked 8 months ago
- Accepted Answerasked a year ago
- Accepted Answerasked 3 months ago
- AWS OFFICIALUpdated a month ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 7 months ago
This is a tricky problem because the network (Security Groups and NACLs) do not have visibility of the HTTP request to see which website is being accessed. Another related solution here is to use CloudFront which would allow WAF to be used in the same manner as suggested here. WAF operates at Layer 7 which is where the HTTP requests are exposed and can therefore block, filter or otherwise modify requests based on which website the request is going to.
I agree Brettski. This is tricky and customer is not using filtering at apache end and they are not willing to do it. Also we cannot go for CDN and WAF. The possible solution which I was thinking is below:
Adding another interface might work; but then there will be limits on the number of interfaces and IP addresses. Much simpler to do what they "are not willing to do". Using different port numbers works fine but then it's more difficult for the end-users and there are networks out there that will block connections to "unusual" ports. Again, much simpler to go with the original suggestion.