I have a web service with few EC2 servers behind a AWS ELB. As I understand, there is no way an ELB endpoint can have a static IP, because it is a DNS-based load balancing solution, and that is a design decision made by ELB team.
However, one of the 3rd party partners that we integrated with require IP of our servers due to their internal infrastructure limit (ya, I know).
After some research, I plan to prepare a SSL pass-through reverse proxy behind a static IP and pass requests to our ELB endpoint. This server will only be used by that client. I will probably use HAProxy because proxy server need to resolve IP of ELB dynamically.
Pros :
- No changes to the infrastructure behind the AWS ELB.
- No additional SSL certification required.
Cons :
- Introduce single point of failure, but only affect that client.
- The client need to assign the IP for our domain name by themselves, or we set up another domain name point to this server.
- No previous experience set up such reserve proxy.
This is the only way I came up without change our infrastructure, I would like to hear your input, what would you do if you are in this situation ?
Best Answer
In the end, I go with the TCP SSL pass-through reverse proxy solution, here is my HAProxy config :
Some explanation :
I did some tests and it works well.
However I did notice a downside (or just didn't know how to solve it)
This may cause problems if you want to allow some IPs to access certain service.