Restrict Access to Your Elastic Beanstalk Domain While Using an ALB

0

I'm hosting an application on AWS Elastic Beanstalk (EB) in a private subnet. The security group (sg-1) for EB is configured to block all public access, which works as expected when I try to access the EB default URL from the public internet—it's blocked.

Now, I've added an external Application Load Balancer (ALB) to the setup. I updated the security group (sg-1) to allow access only from the ALB's private IP range (e.g., 15.0.1.1/16). When I access the application via the ALB's domain URL, it works fine.

However, the issue is that the EB default URL is still accessible from the public internet, even though I restricted the security group to only allow access from the private IP range. what might the reason behind it is there is anything configured wrong form my side ?

Note: The application is hosted across a minimum of two availability zones.

How can I ensure that the application hosted on EB is only accessible through the ALB and not directly via the EB default URL?

3 Answers
1
Accepted Answer

Hello,

Incorrect Security Group Configuration:

  • Double-check inbound rules: Ensure that the security group (sg-1) only allows traffic from the ALB's private IP range on port 80 (or 443 for HTTPS).

Follow this document: https://trycatchdebug.net/news/1367145/elasticbeanstalk-alb-access-restriction

profile picture
EXPERT
answered 2 months ago
profile picture
EXPERT
reviewed 2 months ago
1

On a side note, 15.0.*.* are not private IP addresses. They are public IPs, registered in this case to HP Inc. (https://search.arin.net/rdap/?query=15.0.0.0).

For your VPC's IPv4 addressing, you should normally use IP addresses reserved for private use in RFC 1918. They include these ranges:

  • 10.0.0.0/8 (=10.0.0.0 through 10.255.255.255)
  • 172.16.0.0/12 (=172.16.0.0 ... 172.31.255.255)
  • 192.168.0.0/16 (=192.168.0.0 ... 192.168.255.255)

For example, 10.15.0.0/16 or 10.15.192.0/20 would be valid private IP ranges for your VPC, but 15.anything is not. There's more detailed discussion and advice in this documentation article: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-ip-addressing.html

EXPERT
Leo K
answered 2 months ago
profile picture
EXPERT
reviewed 2 months ago
  • All those IPs are valid, but they're not Elastic IPs, so they can't be used to route traffic directly to the public internet. To access the internet, you'll need a NAT Gateway or an instance with an Elastic IP. While you can choose any IP range, I as well recommend using RFC 1918 ranges for internal IPs. Its also stated in the documentation Leo shared: We refer to private IP addresses as the IP addresses that are within the IPv4 CIDR range of the VPC. Most VPC IP address ranges fall within the private (non-publicly routable) IP address ranges specified in RFC 1918; however, you can use publicly routable CIDR blocks for your VPC. Regardless of the IP address range of your VPC, we do not support direct access to the internet from your VPC's CIDR block, including a publicly-routable CIDR block. You must set up internet access through a gateway; for example, an internet gateway, virtual private gateway, a AWS Site-to-Site VPN connection, or AWS Direct Connect.

  • That's only half the story. When you use public IP addresses belonging to someone else in your VPC, those same IPs will be permitted on the public internet and accepted as such by AWS's services. IP address restrictions, addresses reflected in logs, and so on will consider the public IP addresses as valid when used by their legitimate holder, whenever they appear outside the VPC where they are configured as local. Also, using someone else's IPs as internal ones effectively prevents them from connecting to resources inside the VPC, so it is not correct to consider such use as "valid".

  • thanks for info , it helps

1

Adding some possible solutions in addition to NARRAVULA's comment.

Solution:

  1. Use a Private EB Environment: Host your EB environment in a private subnet with a private ELB. You can follow the guide here.
  2. Restrict Security Groups: Configure your EB security group to only allow traffic from your custom ALB. See the documentation. (+1 NARRAVULA, double check this)

Additionally, for your EB environment in a private subnet, to reach internet you can use a NAT Gateway in a public subnet or VPC interface endpoints. Learn more about setting up NAT Gateways and interface endpoints.

These steps will ensure your application is only accessible through your custom ALB.

AWS
emned
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions