How to allow access to an AWS Elastic Load Balancer over the DNS name

amazon-elbamazon-vpcamazon-web-services

I have an ELB. It has the address myelbname.eu-west-1.elb.amazonaws.com as one would expect.

I also have an EC2 instance behind that ELB. The load balancer is saying that the instance is healthy (the status is "In Service").

I can access the EC2 instance over IP on my network (using VPN to the VPC) but if I go to the A record of the load balancer in a browser then it can't be found.

Also, if I run nslookup it does show an IP address for the load balancer.

I've also tried adding a CNAME record and pointing it to the ELB's DNS name but that didn't work.

Best Answer

ELBs must be in a subnet with an internet gateway. Placing an ELB in a private subnet makes it only available within the VPC's network.

Related Solutions

Nginx AWS ELB – How to Set Real IP from AWS ELB Load Balancer Address

If you can guarantee that all requests will be coming from ELB (I'm not familiar with it), you could try:

real_ip_header X-Forwarded-For;
set_real_ip_from 0.0.0.0/0;

That should tell nginx to trust an X-Forwarded-For header from anyone. The downside is that if anyone directly accesses your server, they would be able to spoof an X-Forwarded-For header and nginx would use the wrong client ip address.

Providing a static IP for resources behind AWS Elastic Load Balancer (ELB)

In the end, I implemented the requirement of our partner as follows:

launch an instance in AWS
allocate and attach an Elastic IP (EIP) to it
Installed Apache
(in our case, installed our SSL certificate)
Configured Apache as a reverse proxy server, forwarding to a CNAME that pointed to our ELB

Here's a sample Apache virtual host configuration. I turned off NameVirtualHost and specified the address of our EIP. I also disabled a default host. If the partner desires, I will add a <Directory> block that accepts requests only from their IP range.

<IfModule mod_ssl.c>
# Catch non-SSL requests and redirect to SSL
<VirtualHost 12.34.567.890:80>
  ServerName our-static-ip-a-record.example.com
  Redirect / https://our-elb-cname.example.com       
</VirtualHost>
# Handle SSL requests on the static IP
<VirtualHost 12.34.567.890:443>
  ServerAdmin monitor@example.com
  ServerName our-static-ip-a-record.example.com

  # SSL Configuration
  SSLEngine on
  SSLProxyEngine on
  SSLProxyCACertificateFile /etc/apache2/ssl/gd_bundle.crt
  SSLCertificateFile    /etc/apache2/ssl/example.com.crt    
  SSLCertificateKeyFile /etc/apache2/ssl/private.key
  # Additional defaults, e.g. ciphers, defined in apache's ssl.conf

  # Where the magic happens
  ProxyPass / https://our-elb-cname.example.com/
  ProxyPassReverse / https://our-elb-cname.example.com/

  # Might want this on; sets X-Forwarded-For and other useful headers
  ProxyVia off

  # This came from an example I found online, handles broken connections from IE
  BrowserMatch "MSIE [2-6]" \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0
  # MSIE 7 and newer should be able to use keepalive
  BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>

Hope this saves someone else some time in the future :-)

Best Answer

Related Solutions

Nginx AWS ELB – How to Set Real IP from AWS ELB Load Balancer Address

Providing a static IP for resources behind AWS Elastic Load Balancer (ELB)

Related Topic