How to restrict access to ALB so that it reads traffic only from a Ec2 machine in AWS?

Question

I have a below architecture within a non default VPC.

Route53 -> ALB(web server) - > Ec2 (web servers) - > ALB(application server) - > Ec2 (application server) - > RDS.

I want my ALB for App server to only read the traffic coming from Ec2 web servers. I tried adding a rule in the security of ALB with source as a security group of the Ec2 web servers.

for some reason, it is not working. But when I add 0.0.0.0/0 as the source for the rules it is working.

I feel I am missing something here. Could anyone help me with this?

Answer 1

Since your ALB(application server) is internet facing it can only be accessed through public IP. This means that your Ec2 (web servers) are using Internet to access ALB(application server):

Route53 -> ALB(web server) - > Ec2 (web servers) - > INTERNET -> ALB(application server) - > Ec2 (application server) - > RDS

In this case, your security groups (SGs) can only work with 0.0.0.0/0 rule, not by referencing web servers' SGs. SG referencing works only if traffic is within VPCs , not from the Internet.

In your setup, your ALB(application server) should be internal ALB in private subnets, not public ones. Since your setup follows a three-tier architectures, please have a look at some example designs below. Note that in all of them, the second ALB is internal and app servers are in private subnets. This allows to use SGs the way you want.

• Designing a Three-Tier Architecture in AWS

• Three Tier Architecture for Web Applications in AWS

• AWS – 3-Tier Web Application Architecture

• AWS Best Practices: 3-Tier Infrastructure