I have ElasticBeanstalk environment which should be exposed to the Internet via HTTPS port but also exposed via HTTP only to some instances inside my cloud. It therefore has 2 listeners. EB auto-sets a "HTTP ANY IP" inbound rule for the LoadBalancer security group of my env.
Now, I have defined a Route 53 alias to my EB environment, e.g. "myenv.company.internal". Next, I curl "http://env1.company.internal" from some EC2 instance and it works only if the inbound rules are "HTTP ANY IP". If I try to limit HTTP only to the security group of my EC2 instance, that instance cannot curl.
How do I limit HTTP port 80 access of my EB environment only to some other security group in my cloud?
How do I limit HTTP port 80 access of my EB environment only to some other security group in my cloud?
You can't do this for internet facing ALB. If you setup env1.company.internal private hosted zone record for public ALB, it will just resolve to public IP addresses of the ALB.
Therefore, you can't use SGs in ALB SG ingress rules to limit traffic. That's why it works with HTTP ANY IP, but not with reference SGs.
If you want to overcome this issue, you can attach an Elastic IP to your other instance, and limit port 80 on ALB to only allow connections from the Elastic IP address. For more instances, you can use NAT gateway's public IP address.