How to allow elastic load balancer through port 80 in security groups?
I want to temporarily block port 80 for the outside world, but want the load balancer to pass through the firewall (via security group) so it won't see the instance as unhealthy. How can I do that?
Update: I also want to know how can I allow only myself accessing to the elastic load balancer via port 80 (but prevent others access). I know that the load balancer doesn't have specific security groups that I can setup and tell it to only accept my IP address, but is there any other way to do it?
Solution 1:
What Eric takes the long way to point you towards but doesn't actually state is that you need to authorize the source as the amazon-elb/amazon-elb-sg
. If you're doing this through the AWS Management Console it will actually auto-complete when you start typing it into the source field. I operate several ELB configurations and they all allow access to 80/TCP via this security group and the static IP addresses of my monitoring systems.
To address the updated request info, you can not restrict what IP addresses can hit the ELB. This could be possible on the Apache server side if you write rules that look at the headers and make decisions to reject the page view. My way of restricting access for testing is add my static IP to the security group allowed to hit the EC2 instance via port 80/TCP and simply take the instance out of the ELB for testing.
Solution 2:
Amazon announced support for this in April:
You can now configure EC2 instances sitting behind an Elastic Load Balancer to receive traffic only from the Load Balancer by using a special Security Group associated with the Elastic Load Balancer. To do this, you call the DescribeLoadBalancers API to get the name of the SecurityGroup,andthen includethat group in the group list when you subsequently launch some EC2 instances. The name of the Security Group can also be obtained from the load balancer details pane in the AWSManagement Console.
http://aws.typepad.com/aws/2011/05/elastic-load-balancing-ipv6-zone-apex-support-additional-security.html
Solution 3:
I should add that amazon-elb/amazon-elb-sg
is the default name of the load balancer security group. If you changed the name of the security group then adding amazon-elb/amazon-elb-sg
will not work. A more generic answer is to add the security group ID or the security group name of the load balancer to the security group of all the instances participating in the cluster.