1

My objective:
To make my AWS Elastic Load Balancer hittable by only traffic from my ip.

What I have tried:

  • created a security group in EC2 security groups
  • set an inbound rule that allows all traffic from my ip [all, all, all, /32]
  • assigned this ELB the newly created security group
  • attempted to hit the elb from an ip outside myoffice

The results:
All traffic, even from ips other than mine could still hit my ELB (and thus get through to my app servers).

What am I doing wrong? How can I block inbound traffic to my ELB (and the EC2 instances behind it)?

mconlin
  • 123
  • 2
  • 7

2 Answers2

2

You need to create a security group on your app servers that only allows inbound traffic from the ELB security group.

As the docs say:

This feature involves two security groups—the source security group and a security group that defines the ingress rules for your back-end instance. To lock down traffic between your load balancer and your back-end instances, add or modify a rule to your back-end security group that limits ingress traffic so that it can come only from the Amazon EC2 source security group provided by the Elastic load Balancing.

c4urself
  • 5,270
  • 3
  • 25
  • 39
  • This will prevent someone from bypassing the ELB and going straight to the servers directly, but it won't fix OP's issue at all if the issue has been accurately described. – ceejayoz Apr 28 '16 at 18:08
-2

Verify below.

1) Default security group of VPC if attached to the ELB, permitting 80 to any ?

2) No other SG should be attached to the ELB than what you have explicitly allowed for

3) Since you can only permit traffic in Security group and rest all will hit to implicit deny, there is another method to drop all traffic in the NACL of subnet where ELB was launched.

C Singh
  • 60
  • 6