MWAA UI Private Webserver can't be accessed through internal ALB

0

I am attempting to setup an MWAA environment inside of a private subnet and using an internal ALB to allow users to access the VPC endpoint that is tied to the web server IP addresses in the subnets that were chosen during environment creation. I am currently coming across an issue where if I access the MWAA UI through the console hyperlink I get sent to a page that say This site can't be reached. If I update the URL to include the ALB A-record and MWAA web login token I am able to access the proper page. If I access just the ALB A-record I am sent to a login page for MWAA and sent to the same page where it says This site can't be reached.

Additional information is here in my stackoverflow question. To me it is almost as if there is some sort of re-direction issue occurring here. As for being able to access the internal ALB I read that users need access to the VPC, what do this mean exactly?

https://stackoverflow.com/questions/71798790/aws-internal-alb-is-unable-to-re-direct-to-private-mwaa-webserver

2 Answers
1

Hi,

Thankyou for using AWS MWAA.

With the details provided, MWAA going over ALB/custom DNS record will be redirected for SSO authentication and then to the VPC endpoint. So, in your case the redirection behaviour is working as expected. Because currently MWAA does not support webserver aliases although custom DNS/ALB is setup successfully.

To give some context here, Web UI in Managed Airflow (MWAA) is designed to be accessed using SSO authentication via IAM user/role. This is because the SSO tends to redirect to the webserver URL defined in the environment rather than the referrer custom domain. So, after login, it goes back to default web-server domain. However, you can bypass the SSO authentication page and access Web UI directly using MWAA web-token feature, please see below

https://docs.aws.amazon.com/mwaa/latest/userguide/call-mwaa-apis-web.html

Basically, the web-token feature allows you to authenticate access externally by using IAM credentials to generate web token(which are valid for 60 seconds) which can be inserted into the URL of your Airflow UI URL.

AWS
answered 2 years ago
  • Hi, thanks for the help. Our company currently only allows users to assume roles and we do use a custom SAML federation method to gain access to AWS. I am also fairly new to AWS and the networking aspect so I have a few questions.

    So when I access the UI through the link provided in the MWAA console it is taking me directly to the VPC endpoint DNS is that correct? This is a custom domain? We didn't setup anything custom and from my understanding MWAA setup a VPC endpoint that is associated to the IP address for the web server in each subnet (2 total). Why exactly do I receive an error stating This site can't be reached at this point?

    When I access the ALB A-record it forwards the request to the target group (MWAA Webserver VPC endpoint IPs)? Here it asks me to authenticate via AWS Management Console SSO. We only use assume IAM role capabilities at this stage but the role I am assuming prior to accessing the ALB has the ability to generate the web token with the IAM permission for airflow:CreateWebLoginToken. After authenticating the browser URL changes to ####-vpce.c71.us-east-1.airflow.amazonaws.com/aws_mwaa/aws-console-sso?login=true#<WEB_TOKEN> so it seems like I am able to get the web token and I am re-directed to the VPC endpoint DNS. I guess I just don't understand here why this also fails.

    In what use-case then would the ALB be needed? We would ideally like to have the ALB/link in the MWAA console as our access method for end users.

  • Is there anyway we can still use the UI link from the MWAA console to generate the token but then forward users to the proper location?

  • I am able to use the AWS CLI and generate a web token for MWAA. I then build the URL as described in the MWAA docs with my generated token. The airflow UI starts to load and then it says Forbidden. I inspected my token in a JWT browser and it shows:

    { "aud": "web", "roles": "Admin", "exp": 1662135243, "user": "assumed-role/AWSReservedSSO_AWSAdministratorAcceaz5WEAHXskQftf7p" }

    So what am I doing wrong?

0

Although this is a different scenario, please check this technical guide that explains in detail how to use public facing ALB + Amazon Cognito + AWS Lambda to build a solution that handles this scenario.

profile pictureAWS
EXPERT
Tasio
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions