I have a default VPC with 2 Elastic beanstalk applications. I need to call an http endpoint on application A from an instance of Application B. I would like to configure the security group rules of the application A load balancer to accept only incoming http traffic from security group of application B instances.
I tried to add the application B instance security group as a source for the incoming rule on application A load balancer but doesn't work.
I haven't done any particular configuration, I have default VPC and 3 default subnets in 3 availability zones.
Have you any idea?
Related
I'm having trouble communicating with EC2 and ECS.
When I send a request to ECS from EC2 that has the same security group as ECS, I get a Timeout error.
However, the request can be received from ECS from outside.
Security group A allows all its own traffic.
EC2 Instance
private subnet A
security group A
ECS Load Balancer(internet facing)
public subnet A
security group A (for internal communication)
security group B (for external communication)
ECS Container
private subnets A and B
security group A
When you send traffic to a public facing load balancer it exits the VPC and comes back in. When the traffic exits the VPC it is no longer associated to a security group. Thus the security group no longer sees the traffic as coming from "itself" and it blocks the request.
I am trying to load some rest services using cloudformation as ECS Service with Fargate.
I don't want a public domain name for these services. I will access them internally from my AWS Lambda functions.
I realized AWS Fargate needs load balancing and Load balancer needs certificate and certificates needs a domain name.
Probably I am missing something but I tried to load AWS Fargate without a load balancer and I was unable to access it from Lambdas.
The question is; how do I run my services on ECS with Fargate without Load Balancer?
Use ECS Service Discovery to set up private DNS records that allow your application to discover service endpoints without using a load balancer or having to create public DNS records. Service Discovery works by creating private DNS records in Route 53 that are queryable from within your VPC, so that you can find the IP addresses for all of the tasks running in a service. If you're running multiple tasks you will get multiple A records back, one per task, so you will need to do client-side load balancing by picking a random record in the returned set.
The documentation linked above is a little vague so here are some more specific instructions: When creating your service in the console, in Step 2: Configure Network, check the Enable service discovery integration checkbox. Then specify "create new private namespace" and supply a name for your namespace, such as foo.app. Then select the "Create new discover service" radio button, and specify a name for your service (such as service1). Leave the rest of the settings in the Service discovery (optional) section as default.
Now from within your VPC, you'll be able to look up service1.foo.app and get back A records with the IP addresses of all of the tasks running in the service.
This medium article also has a good summary of how to set up service discovery.
I have a database server on a EC2 instance, I want it to accessible by Elastic Load Balancer cluster.
I tried adding the subnet of the Load Balancer security groups of database EC2.
There must be some way to give whole cluster of EC2 instance created ELB and autoscalling, access to single EC2.
Your question isn't too clear, but it appears your scenario is:
Internet -> ELB -> EC2 fleet -> Database (on EC2 instance)
You have a database running on a single EC2 instance
You have multiple EC2 instances running an application that connect to the database
You have an Elastic Load Balancer that accepts traffic from the Internet and distributes it to the EC2 instances running the application
You should configure the following Security Groups:
ELB-SG: Configure this security group to allow incoming web traffic from the Internet (0.0.0.0/0). Associate the security group to the Load Balancer.
App-SG: Configure this security group to allow incoming web traffic from ELB-SG. Associate the security group with every instance in the application fleet. If the EC2 instances are launched via Auto Scaling, then associate the security group with the Launch Configuration.
DB-SG: Configure this security group to allow incoming traffic from App-SG. Associate the security group to the EC2 instance running the database.
When I say "allow incoming traffic from xxx-SG", I mean that you should enter the name of the incoming security group in the Source field when configuring the security group. This will automatically insert the unique name of the security group (sg-xxxx). It means that any resource associated with the referenced security group will be allowed incoming access on the nominated port.
You should avoid using an IP address or CIDR range in a security group, because they can change (eg if you launch another EC2 instance). By referencing a security group by name, it will automatically update as instances are added/removed.
On a AWS EC2 ELB security profile - i need a couple of IP Address to be able to access only certain pages of my website. Is it possible? The other IP Address will have access to the full website. Is this achievable
This is not possible as a configuration in the Load Balancer because the Load Balancer simply distributes requests to your application servers.
Your application will need to enforce such functionality.
I have a single ec2 instance running a website behind an elastic load balancer in aws. Mainly because I want to use Amazon's new and free ssl for https.
my challenge is, I need to whitelist my IP address in the security groups so that I am the only person that can see this website (and I can selectively add people as needed).
I've successfully whitelisted my IP address without a load balancer. my challenge is white listing my IP address with the load balancer proxy between my IP address and my ec2 instance.
it appears as if my ec2 instance will not register with the load balancer because the security group for my ec2 does not allow incoming traffic from any IP address except for my own.
I am looking for a way for my load balancer to be able to health check my ec2, yet only allow specific whitelisted ips actually see the website.
If you are using a VPC (which you really should be) then you will have a Security Group attached to the load balancer. That's where you will whitelist IP addresses. The EC2 server just needs to whitelist the Load Balancer's security group.
You can visualize it like this:
Your IP -> Security Group 1 -> Load Balancer -> Security Group 2 -> EC2 Instance(s)
Security Group 1 verifies the IP address is on the whitelist, and allows the traffic through to the load balancer. The Load Balancer sends the traffic along to one of the instances in the pool. Security Group 2 verifies that the traffic is coming from something that belongs to Security Group 1 (the load balancer), which has been whitelisted, and allows it to pass through to the EC2 instance.
I was able to solve the issue, by changing the security group of the EC2 to allow incoming http connections on port 80 from the security group assigned to my load balancer.
and then my load balancer itself allows incoming HTTP traffic on port 80 from anywhere.
so I guess the trick here is, you can allow incoming connections from an IP or a security group.