How can I connect to an internet-facing Application Load Balancer using its internal IP addresses?
Situation:
- Multi-Account Setup using a centralized Network Account
- Within the Network Account, there is an internet-facing Application Load Balancer used for our IdP / PingFederate
- Applications hosted in AWS should connect to IdP / Application Load Balancer using its internal IP addresses
Issue:
- I am not able find a way on how to resolve the internal IP addresses of the internet-facing Application Load Balancer using a comfortable approach
What I tested:
- Utilize Route53 "Default .2 Resolver" -> Issue: It resolved only to the Public IPs of the ALB
- Created Private Hosted Zone with my IdP's URL, and create an A Record Alias to my ALB -> Issue: Again, it resolved only to the Public IPs of the ALB
- Created Private Hosted Zone with my IdP's URL, and create an A Record the internal IPs of the ALB's ENIs -> Issue: Internal IP addresses of an ALB may change, hence this is a setup where I need additional coding (e.g. running a Lambda every few minutes to update my PHZ entries)
Looking for any input that may help.
AWS OFFICIALAktualisiert vor einem Jahr
Are there any other recommendation that do not lead to additional cost of 1 * NLB per stage?
Quick update: We are now using this solution. Background: We use anyways a NLB in our setup to have static IPs for the on-prem Firewall. Now we have two communication flows. A) Internet -> ALB -> NLB (Port 444) -> On-Prem IdP; B) AWS resource -> NLB (Port 443) -> ALB -> same NLB (Port 444) -> On-Prem IdP. We utilize a Route53 Private Hosted Zone to resolve IdP domain to NLB internal IPs. Thanks Thushar!