- Newest
- Most votes
- Most comments
Hello,
Incorrect Security Group Configuration:
- Double-check inbound rules: Ensure that the security group (sg-1) only allows traffic from the ALB's private IP range on port 80 (or 443 for HTTPS).
Follow this document: https://trycatchdebug.net/news/1367145/elasticbeanstalk-alb-access-restriction
On a side note, 15.0.*.* are not private IP addresses. They are public IPs, registered in this case to HP Inc. (https://search.arin.net/rdap/?query=15.0.0.0).
For your VPC's IPv4 addressing, you should normally use IP addresses reserved for private use in RFC 1918. They include these ranges:
- 10.0.0.0/8 (=10.0.0.0 through 10.255.255.255)
- 172.16.0.0/12 (=172.16.0.0 ... 172.31.255.255)
- 192.168.0.0/16 (=192.168.0.0 ... 192.168.255.255)
For example, 10.15.0.0/16 or 10.15.192.0/20 would be valid private IP ranges for your VPC, but 15.anything is not. There's more detailed discussion and advice in this documentation article: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-ip-addressing.html
All those IPs are valid, but they're not Elastic IPs, so they can't be used to route traffic directly to the public internet. To access the internet, you'll need a NAT Gateway or an instance with an Elastic IP. While you can choose any IP range, I as well recommend using RFC 1918 ranges for internal IPs. Its also stated in the documentation Leo shared: We refer to private IP addresses as the IP addresses that are within the IPv4 CIDR range of the VPC. Most VPC IP address ranges fall within the private (non-publicly routable) IP address ranges specified in RFC 1918; however, you can use publicly routable CIDR blocks for your VPC. Regardless of the IP address range of your VPC, we do not support direct access to the internet from your VPC's CIDR block, including a publicly-routable CIDR block. You must set up internet access through a gateway; for example, an internet gateway, virtual private gateway, a AWS Site-to-Site VPN connection, or AWS Direct Connect.
That's only half the story. When you use public IP addresses belonging to someone else in your VPC, those same IPs will be permitted on the public internet and accepted as such by AWS's services. IP address restrictions, addresses reflected in logs, and so on will consider the public IP addresses as valid when used by their legitimate holder, whenever they appear outside the VPC where they are configured as local. Also, using someone else's IPs as internal ones effectively prevents them from connecting to resources inside the VPC, so it is not correct to consider such use as "valid".
thanks for info , it helps
Adding some possible solutions in addition to NARRAVULA's comment.
Solution:
- Use a Private EB Environment: Host your EB environment in a private subnet with a private ELB. You can follow the guide here.
- Restrict Security Groups: Configure your EB security group to only allow traffic from your custom ALB. See the documentation. (+1 NARRAVULA, double check this)
Additionally, for your EB environment in a private subnet, to reach internet you can use a NAT Gateway in a public subnet or VPC interface endpoints. Learn more about setting up NAT Gateways and interface endpoints.
These steps will ensure your application is only accessible through your custom ALB.
Relevant content
- asked 7 months ago
- asked 2 years ago
- AWS OFFICIALUpdated 4 years ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 2 years ago
will check and get back on this thanks
yeah check it once