- 最新
- 投票最多
- 评论最多
The problem is the blue arrow doesn't go directly from your front-end instance to to your internet facing ALB, but it goes out to internet via your NAT gateway (and IGW) and then back to your ALB. You can verify this by checking what are the IP addresses of your ALB DNS-name. And during the loop via NAT GW and IGW, it looses the information about source security group. If you must keep this single ALB architecture, then you shoud allow traffic from your NAT GW public IP addresses (or if you don't have NAT, then public addresses of your front end instances). Better option would have been to have separate ALBs for front-end (internet faceing) and back-ends (internal) and then security group configs would be more natural and you could allow traffic from front-end instance sec.group in your back-end ALB sec.group.
相关内容
- AWS 官方已更新 1 年前
- AWS 官方已更新 2 年前
Here is an example of classic 3-tier (frontend, application, db) architecture in AWS https://docs.aws.amazon.com/whitepapers/latest/web-application-hosting-best-practices/an-aws-cloud-architecture-for-web-hosting.html
There's a contradiction here. Your question says:
Your comment above says:
An instance without a public IP will not be able to reach the internet.
The presence (or absence) of a public IP address is determined by the setting for the subnet into which the EC2 instance is being provisioned. This can be overriden in the Auto-assign public IP part of the Network settings portion of the Launch Template.
As my network is inside default VPC, I don't have NAT. Moreover my EC2 instances (both frontend and backend) are created dynamically based on Auto scaling group policy, so can't have fixed public IP assigned. Hence can't whitelist them automatically.