How to set up Gateway/Subnet &/or. Congnito, EC2 so that Application can be accessed via UID/PW

0

Hi,

I have set up my EC2 & have a React -application running on docker. The application works as expected when called by http://<public EC2 IP>/app-Page.

I have also set up Cognito with User/PW, App-Client, Domain. The Cognito authentication functionality works with the URI **https://<your domain>/oauth2/authorize?lang=en&response_type=code&client_id=<your app client id>&redirect_uri=https://example.com/callback. I have not yet set my EC2-app uri as call back because it requires https as opposed to what I have i.e. http.

At this point I have only one Route table.

  1. My first question is, Should I be removing the internet-gateway from this route table, i.e. the the route table for the subnet containing my EC2 instance.

  2. What would be the AWS setups that I would need to do so that my request reaches the EC2 on a private EC2 IP. Some path that my public request can get to the EC2 & respond.

Something like API Gateway (type: ?)>Cognito > VPC endpoint (type: EC2 Instance Connect Endpoint) > private subnet > EC2 Other way of putting this would be, what would be my first entry point of request in AWS-cloud & how would it progress to EC2.

I am a newbie so, I apologize in advance if this question sounds dumb.

Regards, Prakash

2 Answers
1
Accepted Answer

Hello.

My first question is, Should I be removing the internet-gateway from this route table, i.e. the the route table for the subnet containing my EC2 instance.

As of December 2024, Cognito does not support VPC endpoints, so authentication cannot be performed if there is no connection route to the Internet.
Therefore, if you place EC2 in a private subnet, you will need to use a NAT Gateway to allow Cognito and your application to communicate.

What would be the AWS setups that I would need to do so that my request reaches the EC2 on a private EC2 IP. Some path that my public request can get to the EC2 & respond.

If it is possible to use ALB, I think it would be easy to configure by linking Cognito to ALB and performing authentication.
Since private EC2 cannot be directly accessed, a public ALB is placed and the application is accessed via the ALB.
At that time, you can easily authenticate by linking Cognito to ALB.
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html

The connection path from the user to the application is as follows.
If you use API Gateway, I think the answer is as per re:Post Agent.

User -> ALB -> Cognito -> Call Back (ALB) -> EC2
profile picture
EXPERT
answered a month ago
profile picture
EXPERT
reviewed a month ago
1

To set up your application so it can be accessed securely with user authentication, you'll need to make some changes to your current setup. Here's a step-by-step approach:

  1. Regarding your first question, you should not remove the Internet Gateway from the route table of the subnet containing your EC2 instance. Instead, you should create a new private subnet for your EC2 instance and move it there.

  2. To securely expose your application, you'll need to set up the following:

    a. Create a public subnet and a private subnet in your VPC. b. Move your EC2 instance to the private subnet. c. Set up a NAT Gateway in the public subnet to allow outbound internet access for your EC2 instance. d. Create an Application Load Balancer (ALB) in the public subnet. e. Configure the ALB to forward traffic to your EC2 instance in the private subnet. f. Set up an SSL/TLS certificate for your domain using AWS Certificate Manager. g. Configure the ALB to use HTTPS.

  3. For the authentication flow: a. Set up Amazon API Gateway as your entry point. b. Configure API Gateway to integrate with Cognito for authentication. c. Set up a VPC Link in API Gateway to connect to your ALB.

The flow of a request would look like this: User Request → API Gateway → Cognito Authentication → VPC Link → Application Load Balancer → Private Subnet → EC2 Instance

This setup ensures that your EC2 instance is not directly accessible from the internet, while still allowing authenticated and encrypted access to your application. The API Gateway acts as the first entry point in the AWS cloud, handling authentication via Cognito before forwarding requests to your application running on EC2.

Remember to update your Cognito settings to use the new HTTPS endpoint of your application as the callback URL. Also, make sure to configure the necessary security groups and network ACLs to allow traffic between these components.

This setup provides a secure and scalable architecture for your application, leveraging AWS services to handle authentication, encryption, and network security.
Sources
EC2 access to internet in private subnet | AWS re:Post
create-nat-gateway — AWS CLI 2.22.12 Command Reference
Example routing options - Amazon Virtual Private Cloud

profile picture
answered a month ago
profile picture
EXPERT
reviewed a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions