I have 2 EC2 instances on a single AWS VPC and a public subnet, say app1.example.com and app2.example.com. They are to be accessed by the company employees only via our VPN. app1's Security Group (SG) allows incoming traffic only from the VPN. Traffic to app2 is open to all. I now intend to restrict access to app2, like app 1, from the VPN only.
Please note:
- app1 and app2 don't have any static ip assigned
- SSL is forced by default, so a HTTP request is redirected to HTTPS
At the moment, when app1 sends request to app2, it uses app2's domain app2.example.com/api_endpoint.
Now, if I restrict access to app2 via the VPN only, I need to add a Security Group rules to app2 to allow traffic from the VPN as well as app1's SG. To make this rule work, I changed app1 to make a request to app2 using it's private ip, say 172.31.0.2/api_endpoint. However, because SSL is enabled by default, the request redirects to HTTPS and fails with a certificate verify failed error (as expected).
I have thought of 2 solutions to this:
- Switch off force_ssl. Enable traffic for HTTP only from app1 SG. Enable traffic for HTTPS only from the vpn.
- Use a proxy server (such as squid) on a separate server with a Static IP. app1 uses this proxy to make request to app2. On app2 SG, allow traffic from proxy server's static ip.
What are your thoughts on these 2 solutions? Are there any other solutions (perhaps, API Gateway is better suited to this)?
The 3rd thing I need to ask is:
- Is it a good practice to use AWS Private ip to refer to one another? I assume it is because they are static.
Any help or pointers is appreciated. Please let me know if anything is unclear or you need more info. Thanks.
