How do I limit access to my endpoints that are behind the AWS Global Accelerator?

4 minute read
0

I want to limit access to my endpoints by configuring security group rules on endpoints.

Short description

AWS Global Accelerator can have Application Load Balancers, Network Load Balancers, Amazon Elastic Compute Cloud (Amazon EC2) instances, or Elastic IP addresses as endpoints. Limiting access to these endpoint depends on whether the endpoint has source IP preservation turned on or off.

Resolution

Source IP preservation is on

When you use an internal Application Load Balancer or an EC2 instance with Global Accelerator, the endpoint always has its client IP address preservation tuned on. The IP address preservation, by default, is always on for new accelerators in an internet-facing Application Load Balancer that’s an endpoint with the accelerator. In this setup, the endpoints only see real client IP addresses instead of the Global Accelerator’s IP addresses. You can limit access to these endpoints as follows:

  • Configure the security groups on endpoints to allow connection from known client IP addresses.
  • Launch the endpoint in a private subnet so that client can only access the endpoint through Global Accelerator.

Source IP preservation is off

You've the option to turn off client IP preservation when you use one of the following as an endpoint:

  • an external-facing Application Load Balancer
  • a Network Load Balancer
  • an Elastic IP address

In this setup, the endpoint only sees Global Accelerator’s IP addresses.

Because Global Accelerator uses a range of IP addresses, you must create a prefix list for Global Accelerator’s IP ranges. A prefix list is a set of one or more CIDR blocks, which you can reference in your VPC security group’s rules to restrict access. 

Install the necessary tools to create a custom prefix list. Then, configure it to allow connections to the endpoint, only if they originate through AWS Global Accelerator.

Install the tools

Install the following tools to build the custom prefix list:

  1. Install AWS CLI with the correct security credentials and access settings.
    Note: If you receive errors when running the CLI commands, make sure that you're using the most recent version of AWS CLI.

  2. Install 'jq' on Amazon Linux 2. Run:

    sudo yum install -y jq
    
  3. Install Aggeregate6 from GitHub:

    sudo yum install -y python3 python3-devel python-pip
    pip3 install --user aggregate6  
    

Create a custom prefix list

AWS publishes its current IP address ranges in ip-ranges.json.

  1. Identify the IP address ranges that are associated with AWS Global Accelerator's edge servers.

  2. Compress the list to generate an IP prefix. Use it as an argument to create a custom prefix list, as shown below:

    aws ec2 create-managed-prefix-list --prefix-list-name <name-of-prefix-list> --address-family ipv4 --max-entries 99 --entries=$(curl -s https://ip-ranges.amazonaws.com/ip-ranges.json |jq -r '.prefixes[] |select( .service == "GLOBALACCELERATOR" ) |select( .region != "GLOBAL" ) |.ip_prefix' |aggregate6 |jq -R -M '{"Cidr": .}' |jq -s -c -M)
    

    Note: Replace <name-of-prefix-list> with the name of your list.

  3. Review the output. It must look similar to this:

    {
        "PrefixList": {
            "PrefixListId": "pl-0abcde123456789",
            "AddressFamily": "IPv4",
            "State": "create-in-progress",
            "PrefixListArn": "arn:aws:ec2:us-east-1:1234567890:prefix-list/pl-0abcde123456789",
            "PrefixListName": "aga-regional-all",
            "MaxEntries": 99,
            "Version": 1,
            "Tags": [],
            "OwnerId": "1234567890"
        }
    }
    
  4. View the IP addresses in this prefix list as follows:

    aws ec2 get-managed-prefix-list-entries --prefix-list-id <prefix-list-id>

    Note: Replace <prefix-list-id> with the ID of your list.

Add the custom prefix list to the security group

Specify the prefix list that you created earlier as the source for an inbound rule on the security group associated with the accelerator’s endpoint. For more information on referencing prefix list in a security group, see VPC security groups.

Related information

Location and IP address ranges of Global Accelerator Edge servers

Group CIDR blocks using managed prefix lists

AWS OFFICIAL
AWS OFFICIALUpdated a year ago