Our current setup is

ALB -> Target Group -> EC2 instances

At the moment it's possible to access the EC2 servers behind the load balancer using the IP address of the ALB, the DNS Name (e.g. xxxx-5555555555.eu-west-1.elb.amazonaws.com) as well as the domain specified in the DNS (e.g. aaa.bbbbbbb.com).

Is it possible to block access to the ALB when the IP address or DNS name is used and only allow access when the domain name (aaa.bbbbbbb.com) is used? If so how would I set this up?

  • 201
  • 1
  • 4
  • 9
  • 1
    Not at the load balancer level. Set up a "default virtualhost" that serves a 404. – ceejayoz Jun 26 '18 at 14:32
  • 1
    @ceejayoz's suggestion is a good one -- web servers should always be configured not to handle unexpected requests (by IP or unknown hostnames), since default configurations open up multiple cans of worms, including (but not limited to) search engines indexing the wrong site or malicious actors pointing their domain at your server -- but ALBs do have a way to do this if you don't mind something that seems a little bit confusing at first glance. – Michael - sqlbot Jun 26 '18 at 16:59

2 Answers2


Option 1.

Make your ALB's default target group an empty target group, with no instances. This is a valid configuration.

100% of the requests sent to that target group will always fail, so those requests will be greeted with 503 Service Unavailable.

Then add a second target group, the "real" one, with the instances attached, and configure the balancer to send only requests matching the desired Host to that group.

https://serverfault.com/a/868017/153161 is similar, but the opposite of this case, where the default group handles most requests, but the dummy/blackhole target group handles the requests you want to block, resulting in the same behavior -- the blocked requests are never sent to the instances.

Option 2.

Amazon Web Application Firewall (WAF) can also do this, by creating a string matching rule for comparison against the incoming request's Host header. WAF integrates with ALB.

This setup would probably mean an increased cost, since you would have to pay for WAF ($0.60 per million web requests, not currently available in all regions)... but if you are already using WAF on this ALB for other purposes (rate limiting, XSS, SQL, string matching, etc.), the cost of an additional rule would be neglible or zero, depending on the current configuration.

There's a misconception that your traffic goes "through" WAF, which it doesn't. ALB clones the first few KB from each request and sends a packet to WAF requesting a verdict on whether to allow the request or not. If it passes, the request is allowed, and WAF is not in the traffic loop. If it fails, ALB returns a 403. If ALB fails to get an answer from WAF at all (e.g. due to a systemic failure) the request is always allowed, which prevents WAF from being a point of failure.

Option 3. (h/t @ceejayoz)

Configure your web servers' virtual hosting behavior with default configuration to return an error response when an unexpected/unknown Host header in an incoming request. Your server should not respond favorably to such requests, as a matter of best practices.

These options are in no particular order.

Michael - sqlbot
  • 21,988
  • 1
  • 57
  • 81
  • 1
    Neat, that's a clever approach I hadn't thought of doing. – ceejayoz Jun 26 '18 at 17:05
  • This is exactly what I had started to do but wasn't sure if it was a good practice or not so started looking to see if there was another solution that would be better. Good to know I was going the right way with it. – JamieD Jun 27 '18 at 10:03
  • @JamieD updated. If there is an "official" answer, it is probably option 2, WAF... but any or all of these should be satisfactory. – Michael - sqlbot Jun 27 '18 at 12:07

If you are using cloudflare here is a terraform module you can use. https://github.com/orzarchi/terraform-aws-cloudflare-security-group

just update your ALB security group ID here https://github.com/orzarchi/terraform-aws-cloudflare-security-group/blob/master/vars.tf#L1-L3

and change how long the cron job will kick in to remove all other access besides cloudflare endpoints.

Then your EC2 will be fully protect.