I'm hosting an application on AWS Elastic Beanstalk (EB) in a private subnet. The security group (sg-1) for EB is configured to block all public access, which works as expected when I try to access the EB default URL from the public internet—it's blocked.
Now, I've added an Application Load Balancer (ALB) to the setup. I updated the security group (sg-1) to allow access only from the ALB's private IP range (e.g., 15.0.1.1/16). When I access the application via the ALB's domain URL, it works fine.
However, the issue is that the EB default URL is still accessible from the public internet, even though I restricted the security group to only allow access from the private IP range. what might the reason behind it is there is anything configured wrong form my side ?
Note: The application is hosted across a minimum of two availability zones.
How can I ensure that the application hosted on EB is only accessible through the ALB and not directly via the EB default URL?
I'm hosting an application on AWS Elastic Beanstalk (EB) in a private subnet. The security group (sg-1) for EB is configured to block all public access, which works as expected when I try to access the EB default URL from the public internet—it's blocked.
It was probably blocked anyway, since it was in a private subnet. There was no network route from the Internet to the server(s) in the private subnets.
However, the issue is that the EB default URL is still accessible from the public internet, even though I restricted the security group to only allow access from the private IP range. what might the reason behind it is there is anything configured wrong form my side ?
When you add a load balancer to your Elastic Beanstalk environment, the EB default URL will start resolving to the Application Load Balancer, instead of one of your individual EC2 instances anymore. An Application Load Balancer also has a security group, just like the EC2 instances. So you need to configure the inbound rules of the load balancer's security group to only allow the traffic you want.
I updated the security group (sg-1) to allow access only from the ALB's private IP range (e.g., 15.0.1.1/16). When I access the application via the ALB's domain URL, it works fine.
The ALB's IP addresses may change. I'm not sure what private IP range you are using here, unless it's all the CIDR blocks of the subnets the ALB is deployed to. The "more correct" way of accomplishing this is to have an inbound rule in the EC2 instance's security group that allows traffic from the security group ID of the ALB's security group.