修复了 AWS 应用程序负载均衡器后面的服务的 IP 地址
[英]Fixed IP address for service behind aws application load balancer
问题描述
our company just moved to a new office and therefore also got new network equipment.
我们公司刚搬到新办公室,因此也获得了新的网络设备。 Es it turns out, our new firewall does not allow pushing routes over VPN that it first has to look up ip addresses for.事实证明,我们的新防火墙不允许通过 VPN 推送路由,它首先必须查找 ip 地址。
As we all know, amazon aws does not allow static ip addresses for its application load balancer.众所周知,亚马逊 AWS 不允许其应用负载均衡器使用 static ip 地址。
So our idea was to simply put a network load balancer in front of the application load balancer (there is a pretty hacky way described by aws itself ( https://aws.amazon.com/blogs/networking-and-content-delivery/using-static-ip-addresses-for-application-load-balancers/ ) that seemed to work fine (even if I don't really like the approach with the lambda script registering and deregistering targets)所以我们的想法是简单地在应用程序负载均衡器前面放置一个网络负载均衡器(aws 本身描述了一种非常 hacky 的方式( https://aws.amazon.com/blogs/networking-and-content-delivery/ using-static-ip-addresses-for-application-load-balancers/ )似乎工作正常(即使我不太喜欢使用 lambda 脚本注册和注销目标的方法)
So here is our problem: as it turns out, the application load balancer only gets to see the network load balancers ip address.所以这是我们的问题:事实证明,应用程序负载均衡器只能看到网络负载均衡器 ip 地址。 This prevents us to use security groups for ip whitelisting which we do quite heavily.这阻止了我们将安全组用于 ip 白名单,我们非常重视。 On top of that some of our applications (Nginx/PHP based) also do ip address verification and the alb used to pass the clients ip address as an x-forwarded-for header.除此之外,我们的一些应用程序(基于 Nginx/PHP)还进行 ip 地址验证和用于将客户端 ip 地址作为 x-forwarded-for Z099FB995346F31C749F6E40EDB303 传递的 alb。 Now our application only sees the one from the nlb.现在我们的应用程序只能看到来自 nlb 的那个。
We know of the possibility to use the global accelerator but that is a heavy investment as we don't really need what the GA is trying to solve.我们知道使用全球加速器的可能性,但这是一项巨大的投资,因为我们并不真正需要 GA 试图解决的问题。
So how did you guys solve this problem?那么你们是如何解决这个问题的呢?
Thankful for any help:)感谢您的帮助:)
Greetings问候
2 个解决方案
解决方案1
0 2020-12-01 08:38:52
You could get the list of AWS IP addresses for the region your ALB is located, and allow for them in your firewall.您可以获得 ALB 所在区域的 AWS IP 地址列表,并在防火墙中允许它们。 They do publish the list and you can filter through it https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html他们确实发布了列表,您可以通过它过滤https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html
I haven't done this myself and I'm unsure if the addresses for ALB are included under the EC2 category of you would take the whole of AMAZON service "to be safe".我自己没有这样做,我不确定 ALB 的地址是否包含在您的 EC2 类别下,是否会“确保安全”整个亚马逊服务。
解决方案2
0 2020-12-01 16:22:51
Can you expand on this?你能扩展一下吗? "We know of the possibility to use the global accelerator but that is a heavy investment as we don't really need what the GA is trying to solve." “我们知道使用全球加速器的可能性,但这是一项巨额投资,因为我们并不真正需要 GA 试图解决的问题。” GA should give you better, more consistent performance, especially if your office is far away from the AWS Region where the ALB is running GA 应该为您提供更好、更一致的性能,尤其是当您的办公室远离运行 ALB 的 AWS 区域时
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.