8

I have a V2 ELB that is internet facing. It routes requests to instances in VPC just fine when I connect to it from my laptop. However when I try to connect to it from another instance inside the same VPC the Security Group firewall rules block the connection.

The only way I can get the instances in VPC to connec to the ELB is by opening the https port (443) to the world.

What am I doing wrong?

The ELB (https://elb.domain.com) has the following attrs:

  • Internet facing, V2 (not classic ELB)
  • VPC: vpc-aaa
  • AZs: subnet-a,subnet-b
  • Listeners: 443 -> 8080 instance port
  • source security group: my-vpc-elb, with inbound rules:
    • 443, source: 1.2.3.170/32 (my laptop IP)
    • 443, source: sg-a (the name of the sg that my vpc instance, that cant connect, is in)
    • 443, source <CIDR of vpc-aaa, 1.2.0.0/16>

From my laptop I can put in https://elb.domain.com and things work fine.

I now have another instance with the following attrs that can NOT connect to https://elb.domain.com:

  • Subnet ID: subnet-a
  • Security Group: sg-a

Why does the ELB Security group rule of 443, source: sg-a not allow the connection? Why does it only work when I allow inbound "All traffic" on 443 in the ELB security group?

rynop
  • 50,086
  • 26
  • 101
  • 112
  • Very similar to: [Any way to configure AWS security group to allow private instances to access a public-facing Load Balancer?](http://stackoverflow.com/questions/30785695/any-way-to-configure-aws-security-group-to-allow-private-instances-to-access-a-p) – John Rotenstein Mar 02 '17 at 22:53
  • 2
    Traffic to a public-facing load balancer will always exit the VPC and come back in, so there is no way to open that up to specific security groups. If you're using a NAT you might be able to open it up to the public IP address of the NAT. – Mark B Mar 02 '17 at 23:49
  • @JohnRotenstein yea similar. However my instances have public IPs and can access the internet (as stated by me opening to world and it working). – rynop Mar 03 '17 at 15:30
  • @MarkB I think that may be the issue. Will try and report back. – rynop Mar 03 '17 at 15:31

1 Answers1

13

Instances in VPC, when connecting to a public-facing load balancer will always exit the VPC and come back in from a public IP. In this scenario there is no way to lock inbound traffic by security group.

If the VPC instances trying to connect to the ELB do not need public IPs, you can simply setup an inbound rule on your ELB that only allows the source to be that of your VPC NAT Gateway(s).

If they do require public IPs, your are forced to specify AWS VPC public IP range, or if you use EIP you can specify the EIP(s).

rynop
  • 50,086
  • 26
  • 101
  • 112