I have the following scenario. I have an EKS cluster A with worker nodes in private subnets and can access internet via NAT Gateway (elastic IP, say x.x.x.x/32). There is another similar EKS cluster B in another AWS account. When a user hits the load balancer in cluster A the URL https://sample.site.clusterA.com, it needs to redirect to a login page (OIDC) hosted on cluster B.
My need is to restrict the security group of the worker nodes in cluster B to accept inbound HTTPS request only if it was originated/redirected from the NAT Gateway elastic IP of cluster A. Since https://sample.site.clusterA.com is redirecting to the login page, now the request seems to be originating from the users IP and not the elastic IP of cluster A.
I want to block any request where user hits the login url directly instead of being redirected from the cluster A elastic IP. Is it possible to restrict security group rules to allow only based on the originating IP and not the users IP?
When a redirect occurs, a header is returned to the client of a status (301, 302 or 307 generally) along with a location to redirect to.
For this reason the client is what performs the redirect, the first cluster is just instructing it where to go.
Security groups can only control the ingress/egress of the hosts from the source that accesses it which in this case is the client.
If you want to apply more comprehensive rules you could attach a WAF to an ALB but would need to be able to define the behaviour to block.