What is the best way to restrict access to an Application Load Balancer?

笑着哭i 提交于 2020-04-12 08:22:00

问题


Ideally, I'd like to lock down my ALB so that it can only be accessed by API Gateway.

I've looked into whether I can associate API gateway with an Inbound Rule - however, I have found that API Gateway cannot be associated with an IP address, or a security group. I've also looked into an Internal facing ALB, but I've been unable to get these working as VPC link only supports NLB.

Any help will be greatly appreciated - I've been looking in the Gateway Settings but cannot find this option.

What is the best way to approach this so that the ALB is as restricted as possible?


回答1:


The API Gateway doesn't have a static IP and ALBs don't offer any authentication other than Cognito User Pools at this moment. Because of that I would say your best option is to use a VPC link with Network Load Balancer as you propose and tunnel the request via the NLB to your ALB.

Alternatively you could have a Lambda inside your VPC invoke the ALB but that would be a lot slower, but cheaper for low volumes because you skip the NLB.




回答2:


Depending on the use case, one possibility is secure your backend instead of the ALB using client SSL certificates. Generate and Configure an SSL Certificate for Backend Authentication



来源:https://stackoverflow.com/questions/53715115/what-is-the-best-way-to-restrict-access-to-an-application-load-balancer

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!