— Digital Mines Blog

This is the first in a series of posts we’ll be doing on solutions to practical nuts and bolts issues around using Cloud services like AWS directly. Obviously, if you are a Digital Mines Customer, we take care of all this pain for you.

One issue that has arisen over using the ELB (Elastic Load Balancer) service in front of your application servers is that you had to accept connections on those servers from any IP address. This could lead to badly-intentioned people bypassing your ELBs and potentially creating a security issue for you.

On May 24th, Amazon announced support for Security Groups between ELB and EC2 instances so they would accept traffic only from ELB and hence solve this issue. Our tech guys got it working as follows using the ELB API Tools:

  1. First need to find out what’s the security group name for ELB:
    elb-describe-lbs myLB --show-long --headers
  2. The response will be something like this:
    LOAD_BALANCER,NAME,DNS_NAME,CANONICAL_HOSTED_ZONE_NAME, CANONICAL_HOSTED_ZONE_NAME_ID,HEALTH_CHECK,AVAILABILITY_ZONES, INSTANCE_ID,LISTENER_DESCRIPTIONS,SOURCE_SECURITY_GROUP, CREATED_TIMELOAD_BALANCER, myLB,myLB-160000000.us-east-1.elb.amazonaws.com,(nil),(nil),"{interval=30,target=HTTP:80/,timeout=5,healthy-threshold=10,unhealthy-threshold=2}", "us-east-1b, us-east-1d","i-f111111, i-cbbbbbb","{protocol=HTTP,lb-port=80,instance-port=80,policies=}",example-elb/example-elb-sg,2011-02-13T20:43:23.220Z
  3. Next you authorize limit ingress traffic for all back-end instances that belong to a security group using:
    ec2-authorize backend-default-sg --source-group example-elb-sg --source-group-user example-elb

    Obviously replacing the various “examples” with the real security groups that you have.

And that’s it. Your back-end instances can now only be accessed by your ELBs. A similar process also works for accessing sites over SSL. If you are a Digital Mines customer and need either feature enabled, just let us know.

Submit comment