- Newest
- Most votes
- Most comments
Best practice is to never use the default SG -- Always create your own SGs that have the specific least-privilege access for your use case.
What is not working when you remove the 0.0.0.0/0 rule? I assume that the ALB gets no traffic, which would make sense as that rule is allowing the traffic in.
Appropriate basic rule for a public ALB would be TCP port 443 from 0.0.0.0/0 and enable redirect 80->443.
If you are wanting to allow only traffice from a single IP (allow list a single customer or such), replace the 0.0.0.0/0 with a specific IP a.b.x.y/32.
If you are wanting to make it private to only the VPC traffice, recommend a Private ALB but you could also update the 0.0.0.0/0 to the VPC CIDR.
Again, be careful changing the default SG. If you are using it here, you may be using it elsewhere as well and have unintended effects when you change it. Hence the best practice of using unique SGs for each workload.
Hope this helps!
Relevant content
- asked 4 years ago
- asked 2 years ago
- asked 2 years ago
We want to get the traffic from API gateway only, if we add the sg-0a3806b0e18149559 as source for the security group of ALB we are getting 503
I would recommend you look at this article: https://repost.aws/knowledge-center/api-gateway-application-load-balancers, specifically the link at the bottom Integrate an API Gateway REST API with a private Application Load Balancer .