Frontend to Backend EC2 communication

0

I currently have 1 EC2 instance that hosts our react frontend server, using a godaddy registered domain and deployed with Route53, and 1 EC2 Instance that hosts a graphql backend server. Both EC2 instances are in the same region. The frontend instance is able to talk to the backend instance when I have the inbound rules of the backend security group set to HTTP/HTTPS and from anywhere IPv4. However, when I change the source to be just the Frontend EC2 security group, our frontend cannot send requests to our backend, and I am not sure why. I just want my frontend EC2 instance to have access to prevent users accessing our graphql server.

Backend EC2 instance Security group Inbound Rules that works (Allows Frontend EC2 to send request to our backend EC2 but exposes backend to the public):

IPv4 HTTPS TCP 443 0.0.0.0/0 IPv4 HTTP TCP 80 0.0.0.0/0

Backend EC2 instance Security group Inbound Rules that are not working(Restricting Frontend EC2 to send request to Backend EC2):

IPv4 HTTPS TCP 443 [Frontend EC2 security Group] IPv4 HTTP TCP 80 [Frontend EC2 security Group]

IPv4 HTTPS TCP 443 [Frontend EC2 subnet IPv4] IPv4 HTTP TCP 80 [Frontend EC2 subnet IPv4]

IPv4 HTTPS TCP 443 [Frontend EC2 public IPv4] IPv4 HTTP TCP 80 [Frontend EC2 pubic IPv4]

Any help is much appreciated.

  • Are you sure that the frontend security group is attached to all the network interfaces of the frontend EC2 instance?

  • Yes, I only have 1 network interface with my frontend EC2 instance attached to it. Same for the backend EC2 instance

  • I hope here you set up backup on public subnet, that's why when you change source to 0.0.0.0/0, it's getting traffic. But can you check that HTTPS traffic is passed to frontend first ? because you want HTTPS traffic to come from frontend SG to backend SG, for this requirement, frontend SG should have that traffic within that. If HTTPS is not configured in the inbound of frontend, then it will not be passed to Backend as well.

  • Yes HTTPS is configured in the frontend as well. And no I didn't set a backup.

asked 4 months ago355 views
1 Answer
1

Sounds like your both your backend and front end server have public IP addresses and are in public subnets.

I’d move your backend server to a private subnet and only allow the front end private IP address in the security group on the backend server.

profile picture
EXPERT
answered 4 months ago
profile picture
EXPERT
reviewed 4 months ago
  • I just tried this, and I get the same issue. I made the subnet of my backend EC2 instance private by associating it to a route table that has one route with the VPC IP as the destination and local as the target (no route connected to internet gateway). Even if all the inbound/outbound rules of the NACL and backend security group accept all traffic, the frontend EC2 is still not able to talk to the backend EC2 unless I add a route that points to an internet gateway.

  • Make sure your backend server doesnt have a public IP

  • How will the frontend EC2 be able to talk to the backend server if it doesn't have a public IP? I host my backend on a subdomain through route53 (hosted at [subdomain]/graphql), and need the frontend EC2 to make requests to [subdomain]/graphql. I also need to use HTTPS for my backend to prevent CORS issues with my frontend domain.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions