I created a server behind an Application Load Balancer.
You are trying to connect from that server to another server that is not connected to a Load Balancer.
I am not sure whether to put the IP address of the Load Balancer or IP of the server to set the security group of the server not connected to the Load Balancer, so I put both.
In the case of an Application Load Balancer, I know that all server communication is done through the Load Balancer, so I think the Load Balancer alone is fine, but I think I need to write the destination, so I think I need to put the server's IP address as well.
I wonder if it is enough to set the security group with only one Load Balancer address or both?
CodePudding user response:
The flow goes like this:
User on the web --> Load Balancer --> Web server --> Other server
The Load Balancer is only used between the end user and the web server. Traffic between the web server and the 'other server' does not go through the Load Balancer.
The proper security setup for your situation would be:
- A security group on the Load Balancer (
LB-SG
) that permits Inbound traffic from the Internet on appropriate ports (eg 80, 443), plus the default "Allow All" rule for Outbound traffic - A security group on the 'other server' (
Other-SG
) that permits Inbound traffic fromLB-SG
on appropriate ports (80?), plus the default "Allow All" rule for Outbound traffic
Note that Other-SG
refers to LB-SG
in the inbound rules. This means that any resource associated with LB-SG
will be permitted to communicate with the 'other server'. There is no need to enter any IP addresses -- AWS will allow traffic to come from any such resource (eg the Load Balancer) due to the reference to the LB-SG
security group.