By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How to access Backend from Frontend under same ALB without allowing all IPs

0

Hi Team,

I have a single ALB, where I have set 2 listeners for routing traffic between my frontend (https://frontend.app.com) and backend (https://backend.app.com) servers. Domain is registered with GoDaddy. I have to allow access to my frontend and backend only from certain IPs, which is working as desired. As I can access my backend and frontend servers from those IPs.

But when I try to access backend server from my frontend server using the subdomain, it hangs and times out. Looks like my ALB is restricting the connection. If I allow all IPs inside my ALB, then I can access backend server from frontend server.

I have tried this: Common Security group between ALB, frontend and backend server : say (sg-xyz) inbound rules: allow all traffic from source sg-xyz outbound rule:

  1. allow all traffic to destination sg-xyz
  2. allow all traffic to all 0.0.0.0/0

From both the servers I am able to access internet.

My requirement is, Only few allowed IPs should be able to access the servers. Please find the diagram for reference.

Not Working

Topics
ComputeNetworking & Content Delivery
Tags
Amazon EC2 Auto ScalingApplication Load BalancerSecurity GroupDomain Name System (DNS)
Language
English
foiwe-admin
asked 3 months ago332 views
1 Answer
1

The problem is the blue arrow doesn't go directly from your front-end instance to to your internet facing ALB, but it goes out to internet via your NAT gateway (and IGW) and then back to your ALB. You can verify this by checking what are the IP addresses of your ALB DNS-name. And during the loop via NAT GW and IGW, it looses the information about source security group. If you must keep this single ALB architecture, then you shoud allow traffic from your NAT GW public IP addresses (or if you don't have NAT, then public addresses of your front end instances). Better option would have been to have separate ALBs for front-end (internet faceing) and back-ends (internal) and then security group configs would be more natural and you could allow traffic from front-end instance sec.group in your back-end ALB sec.group.

profile picture
EXPERT
Kallu
answered 3 months ago
profile picture
EXPERT
Riku_Kobayashi
reviewed 3 months ago
  • Kallu EXPERT
    3 months ago

    Here is an example of classic 3-tier (frontend, application, db) architecture in AWS https://docs.aws.amazon.com/whitepapers/latest/web-application-hosting-best-practices/an-aws-cloud-architecture-for-web-hosting.html

  • Steve_M EXPERT
    3 months ago

    There's a contradiction here. Your question says:

    From both the servers I am able to access internet.

    Your comment above says:

    my EC2 instances (both frontend and backend) are created dynamically based on Auto scaling group policy, so can't have public IP assigned.

    An instance without a public IP will not be able to reach the internet.

    The presence (or absence) of a public IP address is determined by the setting for the subnet into which the EC2 instance is being provisioned. This can be overriden in the Auto-assign public IP part of the Network settings portion of the Launch Template.

  • foiwe-admin
    3 months ago

    As my network is inside default VPC, I don't have NAT. Moreover my EC2 instances (both frontend and backend) are created dynamically based on Auto scaling group policy, so can't have fixed public IP assigned. Hence can't whitelist them automatically.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content