I have a web application with two different sites. Each can be accessed via HTTP. When you access Site #1, it will serve that site directly. When you access site #2, it will actually connect to site #1 behind the scenes via REST API calls. This architecture is shown in the diagram below.
All instances shown (in blue) have ONLY private IP addresses. Both Load Balancers are internet-facing because people from outside the VPC need to access the application. Each autoscale group has an associated security group which is applied to each of its' instances.
How can I configure LoadBalancer #1 to accept HTTP calls from Auto-Scale Group #2 given that those instances don't have public IP addresses? Do I need to have one private-facing Load Balancer and one internet-facing load balancer?
I want all this configuration to be done automatically in my Cloudformation file.
The AWS Elastic Load Balancing service provides a DNS Name for the load balancer. This name should be used when accessing the load balancer.
The DNS name resolves to one of several public IP addresses. Therefore, instances in Auto Scaling Group #2 require access to the Internet.
If all instances are in a Public subnet, then they should be able to access the Internet and, therefore, Load Balancer #1.
If the instances are in a Private subnet, they will require some means of accessing the Internet. This is typically done by launching a NAT instance in a Public subnet and configuring Route Tables on the Private subnet to route Internet traffic to the NAT server.
The traffic won't actually traverse the Internet. Rather, they will traverse AWS's edge of the Internet by popping out of the VPC and then back in again.
There is no configuration required on Load Balancer #1, since it is already accepting incoming traffic.
来源:https://stackoverflow.com/questions/30785695/any-way-to-configure-aws-security-group-to-allow-private-instances-to-access-a-p