Access Amazon EC2 instance only from ELB

Question

I deployed a simple website on EC2 instance, and created an elastic load balancer, routing traffic to this EC2 instance.

I also created a CNAME record on my DNS registrar, pointing my domain (www.example.com) to the load balancer DNS name (load-balancer-1234567890.us-east-1.elb.amazonaws.com).

I can successfully reach my site in the browser in 3 different ways:

• EC2 instance public IP (Eg: 54.89.99.99)
• ELB public DNS name (Eg: load-balancer-1234567890.us-east-1.elb.amazonaws.com)
• My domain DNS (Eg: www.example.com)

But, for security reasons, I want my EC2 instance to be accessible on port 80 only from the load balancer.

So, I changed the security group for the EC2 instance:

• removed the rule that allowed traffic on port 80 from all sources (0.0.0.0/0)
• added a rule to allow traffic on port 80 from my VPC (172.31.0.0/16)
• added a rule to allow traffic on port 80 from the ELB security group (sg-xxxxxxxx)

After that, I still can access my website from the ELB DNS name, but now I can't access from my domain anymore (www.example.com). I get the error: ERR_CONNECTION_TIMED_OUT.

What's wrong?

Answer 1

This seems like a DNS caching issue in your machine or in DNS servers.

• To clear the cache in your machine flush the DNS using ipconfig /flushdns
• If the issue persisted try traceroute www.example.com (Or tracert www.example.com in Windows) to see whether it reaches the ELB. If the source IP is different that the current DNS configurations,
  • It can be due to a misconfiguration (Double check)
  • If latest DNS modification is not propagated (If its points to a previous configuration) then wait for some time till the DNS servers clears the cache based on the TTL value.