February 12th, 2011
posted by Brian Peddle
In an ongoing effort to keep my company’s servers as secure as possible I decided I was going to lock down port 80 and 443 to only accept traffic from specific servers that needed access. Should be easy enough I thought, I could simply setup up the security group and restrict the source IP or group. I setup a test EC2 instance and ran a quick test pointing directly to the instance and it worked. I then added the rules to the production security group and thought all was well. Not so fast … I failed to remember that the Elastic Load Balancer (ELB) needs to perform health checks on each instance to confirm they are running. The problem here is you cannot tell what IP address the ELB is using to add to the security group and you cannot assign a security group to the ELB.
I spoke to someone at Amazon and they responded, “Yes we are aware of the issue and our teams are considering and evaluating different alternatives to solve this issue.” He did recommend adding all the Amazon IP ranges as well as their internal 10.0.0.0/8 rule to the security group but this just isn’t secure enough.
I have a few options right now I am looking at:
- Use our DNS Service to do round robin without any health checks and rely on our monitoring service to notify us if a server is down.
- Look to HAProxy and manage my own load balancer. I will probably give the loadbalancer.org application a try.
- I could use non-standard ports on the web server and map the ports to those in the ELB, not really secure but a little something.
- Sit tight and wait for the corrections from Amazon.
If anyone has any other ideas I would love to hear them.