- Newest
- Most votes
- Most comments
Hello.
My first question is, Should I be removing the internet-gateway from this route table, i.e. the the route table for the subnet containing my EC2 instance.
As of December 2024, Cognito does not support VPC endpoints, so authentication cannot be performed if there is no connection route to the Internet.
Therefore, if you place EC2 in a private subnet, you will need to use a NAT Gateway to allow Cognito and your application to communicate.
What would be the AWS setups that I would need to do so that my request reaches the EC2 on a private EC2 IP. Some path that my public request can get to the EC2 & respond.
If it is possible to use ALB, I think it would be easy to configure by linking Cognito to ALB and performing authentication.
Since private EC2 cannot be directly accessed, a public ALB is placed and the application is accessed via the ALB.
At that time, you can easily authenticate by linking Cognito to ALB.
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html
The connection path from the user to the application is as follows.
If you use API Gateway, I think the answer is as per re:Post Agent.
User -> ALB -> Cognito -> Call Back (ALB) -> EC2
To set up your application so it can be accessed securely with user authentication, you'll need to make some changes to your current setup. Here's a step-by-step approach:
-
Regarding your first question, you should not remove the Internet Gateway from the route table of the subnet containing your EC2 instance. Instead, you should create a new private subnet for your EC2 instance and move it there.
-
To securely expose your application, you'll need to set up the following:
a. Create a public subnet and a private subnet in your VPC. b. Move your EC2 instance to the private subnet. c. Set up a NAT Gateway in the public subnet to allow outbound internet access for your EC2 instance. d. Create an Application Load Balancer (ALB) in the public subnet. e. Configure the ALB to forward traffic to your EC2 instance in the private subnet. f. Set up an SSL/TLS certificate for your domain using AWS Certificate Manager. g. Configure the ALB to use HTTPS.
-
For the authentication flow: a. Set up Amazon API Gateway as your entry point. b. Configure API Gateway to integrate with Cognito for authentication. c. Set up a VPC Link in API Gateway to connect to your ALB.
The flow of a request would look like this: User Request → API Gateway → Cognito Authentication → VPC Link → Application Load Balancer → Private Subnet → EC2 Instance
This setup ensures that your EC2 instance is not directly accessible from the internet, while still allowing authenticated and encrypted access to your application. The API Gateway acts as the first entry point in the AWS cloud, handling authentication via Cognito before forwarding requests to your application running on EC2.
Remember to update your Cognito settings to use the new HTTPS endpoint of your application as the callback URL. Also, make sure to configure the necessary security groups and network ACLs to allow traffic between these components.
This setup provides a secure and scalable architecture for your application, leveraging AWS services to handle authentication, encryption, and network security.
Sources
EC2 access to internet in private subnet | AWS re:Post
create-nat-gateway — AWS CLI 2.22.12 Command Reference
Example routing options - Amazon Virtual Private Cloud
Relevant content
- asked 3 years ago
- Accepted Answerasked 9 months ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 6 months ago