19

I want to temporarily block port 80 for the outside world, but want the load balancer to pass through the firewall (via security group) so it won't see the instance as unhealthy. How can I do that?

Update: I also want to know how can I allow only myself accessing to the elastic load balancer via port 80 (but prevent others access). I know that the load balancer doesn't have specific security groups that I can setup and tell it to only accept my IP address, but is there any other way to do it?

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
Liron Harel
  • 431
  • 1
  • 4
  • 13

4 Answers4

18

What Eric takes the long way to point you towards but doesn't actually state is that you need to authorize the source as the amazon-elb/amazon-elb-sg. If you're doing this through the AWS Management Console it will actually auto-complete when you start typing it into the source field. I operate several ELB configurations and they all allow access to 80/TCP via this security group and the static IP addresses of my monitoring systems.

To address the updated request info, you can not restrict what IP addresses can hit the ELB. This could be possible on the Apache server side if you write rules that look at the headers and make decisions to reject the page view. My way of restricting access for testing is add my static IP to the security group allowed to hit the EC2 instance via port 80/TCP and simply take the instance out of the ELB for testing.

Jeremy Bouse
  • 11,241
  • 2
  • 27
  • 40
  • 4
    The thing that threw me with this answer was the text *amazon-elb/amazon-elb-sg* formatted as code which implied that was some magic aws id. In reality all you have to do is type `sg-` in the source field and you get a dropdown for all the different security groups. – krock Apr 01 '16 at 05:09
7

Amazon announced support for this in April:

You can now configure EC2 instances sitting behind an Elastic Load Balancer to receive traffic only from the Load Balancer by using a special Security Group associated with the Elastic Load Balancer. To do this, you call the DescribeLoadBalancers API to get the name of the SecurityGroup,andthen includethat group in the group list when you subsequently launch some EC2 instances. The name of the Security Group can also be obtained from the load balancer details pane in the AWSManagement Console.

http://aws.typepad.com/aws/2011/05/elastic-load-balancing-ipv6-zone-apex-support-additional-security.html

Eric Hammond
  • 10,901
  • 34
  • 56
  • It didn't answer the question how can I allow only myself to access to the load balancer for port 80, not me accessing the EC2 server directly. There aren't any security group for the load balancer it self. – Liron Harel Oct 16 '11 at 11:06
  • How about just password protecting the site except for the health check URL? – Eric Hammond Oct 16 '11 at 17:53
  • How can I obtain the name of the security group of the load balancer via the management console UI? – Liron Harel Oct 16 '11 at 19:06
2

I should add that amazon-elb/amazon-elb-sg is the default name of the load balancer security group. If you changed the name of the security group then adding amazon-elb/amazon-elb-sg will not work. A more generic answer is to add the security group ID or the security group name of the load balancer to the security group of all the instances participating in the cluster.

1

Create a new Security Group for the ELB, then only allow access to the EC2 from the ELB security group. Change the Security settings in VPC section to easier do this.

Specfic IP/Range -> ELB -> EC2(Only ELB Group) ->

I have multiple dev env which have private access via ELB, but have healthchecks that are required for server moniroting.

user1573604
  • 145
  • 5