stackoom
  简体   繁体   中英

Fixed IP address for service behind aws application load balancer

 原文  2020-11-30 08:05:28       amazon-web-services/ amazon-ec2

Question

our company just moved to a new office and therefore also got new network equipment. Es it turns out, our new firewall does not allow pushing routes over VPN that it first has to look up ip addresses for.

As we all know, amazon aws does not allow static ip addresses for its application load balancer.

So our idea was to simply put a network load balancer in front of the application load balancer (there is a pretty hacky way described by aws itself ( https://aws.amazon.com/blogs/networking-and-content-delivery/using-static-ip-addresses-for-application-load-balancers/ ) that seemed to work fine (even if I don't really like the approach with the lambda script registering and deregistering targets)

So here is our problem: as it turns out, the application load balancer only gets to see the network load balancers ip address. This prevents us to use security groups for ip whitelisting which we do quite heavily. On top of that some of our applications (Nginx/PHP based) also do ip address verification and the alb used to pass the clients ip address as an x-forwarded-for header. Now our application only sees the one from the nlb.

We know of the possibility to use the global accelerator but that is a heavy investment as we don't really need what the GA is trying to solve.

So how did you guys solve this problem?

Thankful for any help:)

Greetings

2 answers

solution1
 0  2020-12-01 08:38:52

You could get the list of AWS IP addresses for the region your ALB is located, and allow for them in your firewall. They do publish the list and you can filter through it https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html

I haven't done this myself and I'm unsure if the addresses for ALB are included under the EC2 category of you would take the whole of AMAZON service "to be safe".

solution2
 0  2020-12-01 16:22:51

Can you expand on this? "We know of the possibility to use the global accelerator but that is a heavy investment as we don't really need what the GA is trying to solve." GA should give you better, more consistent performance, especially if your office is far away from the AWS Region where the ALB is running

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to get permanent ip address of a kubernetes load balancer service on AWS? Assign a static IP address to an AWS Application Load Balancer AWS Application load Balancer : Create Target group with IP address AWS Load Balancer with a static IP address Assigning Static IP Address to AWS Load Balancer wordpress website behind AWS Application load balancer How to get Elastic IP address of servers behind Load Balancer Client IP when behind AWS network load balancer from Python Service discovery on aws ECS with Application Load Balancer AWS: Access to the application through the Load Balancer or by the Public IP specified in the Task from the service
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM