0

I'm hosting an application on AWS Elastic Beanstalk (EB) in a private subnet. The security group (sg-1) for EB is configured to block all public access, which works as expected when I try to access the EB default URL from the public internet—it's blocked.

Now, I've added an Application Load Balancer (ALB) to the setup. I updated the security group (sg-1) to allow access only from the ALB's private IP range (e.g., 15.0.1.1/16). When I access the application via the ALB's domain URL, it works fine.

However, the issue is that the EB default URL is still accessible from the public internet, even though I restricted the security group to only allow access from the private IP range. what might the reason behind it is there is anything configured wrong form my side ?

Note: The application is hosted across a minimum of two availability zones.

How can I ensure that the application hosted on EB is only accessible through the ALB and not directly via the EB default URL?

Improve this question

1 Answer 1

Reset to default
0

I'm hosting an application on AWS Elastic Beanstalk (EB) in a private subnet. The security group (sg-1) for EB is configured to block all public access, which works as expected when I try to access the EB default URL from the public internet—it's blocked.

It was probably blocked anyway, since it was in a private subnet. There was no network route from the Internet to the server(s) in the private subnets.

However, the issue is that the EB default URL is still accessible from the public internet, even though I restricted the security group to only allow access from the private IP range. what might the reason behind it is there is anything configured wrong form my side ?

When you add a load balancer to your Elastic Beanstalk environment, the EB default URL will start resolving to the Application Load Balancer, instead of one of your individual EC2 instances anymore. An Application Load Balancer also has a security group, just like the EC2 instances. So you need to configure the inbound rules of the load balancer's security group to only allow the traffic you want.

I updated the security group (sg-1) to allow access only from the ALB's private IP range (e.g., 15.0.1.1/16). When I access the application via the ALB's domain URL, it works fine.

The ALB's IP addresses may change. I'm not sure what private IP range you are using here, unless it's all the CIDR blocks of the subnets the ALB is deployed to. The "more correct" way of accomplishing this is to have an inbound rule in the EC2 instance's security group that allows traffic from the security group ID of the ALB's security group.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

HI @Mark , we are planning to deploy ALB directly in our application as internet facing which is hosted in public subnet , how can we restrict the DNS resolution as you mentioned " the EB default URL will start resolving to the Application Load Balancer"
You can't restrict "DNS resolution". You can restrict network connections via the security group attached to the load balancer, as I mentioned already in my answer.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.