security - How should I restrict load balanced Web traffic to my Elastic Beanstalk environments?

Question

I'm trying to configure access to my EB environments, and would like to restrict HTTP access (through the ELB) to certain IP addresses.

I have an out of the box EB app (a bunch, actually, with a few environments each) and would like be able to (a) restrict access to specific sets of IPs while (b) having all traffic come through the ELBs. Critically, I'd like to do this by (c) creating a few groups (e.g an admin SG that allows my IP, and a dev SG that allows a team's IPs, and a public SG that allows all IPs) and applying the groups as needed to each EB environment (often in different combinations to different environments) rather than having to update sources in every environment whenever a team member's IP changes or team membership changes. I'd like to do this without digging around in the network structure and just use the default EB structure.

The default ELB security group allows access from all IPs and is not meant to be edited ("Modifications could impact traffic to future ELBs"), so it seems (naively) there are three approaches I could take:

1. Create a new security group with restricted IP sources for HTTP, and assign it to the ELB instead of the default ELB SG.

2. Create a new security group with restricted IP sources for HTTP, and set it as the source for HTTP in my environment's security group.

3. Leave the default ELB in as is, but restrict the range of allowed source IPs in my EB environment's security group (instead of specifying the ELB's SG as a source).

But (1) seems to require that I also specify the new SG, instead of the default ELB SG, as a source in each of my environments, and (2) seems to require that I assign the new SG to the environment's ELB; while it's not clear in (3) whether traffic goes through or is filtered by the ELB at all.

The ideal solution for my purposes (at least in theory) would be to have a a small number of security groups for controlling Web access (e.g. one for admin users that lists specific IPs as sources, another for testers that lists a broader range of IPs, and another for public access), and to assign these to environments (as sources for their SG's rules) as appropriate. But this approach (basically 2, above) seems to require that I also assign the groups to each environment's ELB (i.e. I need combine 1 and 2). (This wouldn't be so quite so awkward except that cloned environments seem to always have default rules for their SGs and default the default SG for their ELBs.)

All this seems too cumbersome and suggests that I'm missing some simpler approach. How should I restrict load balanced Web traffic to my Elastic Beanstalk environments?

Answer 1

Sounds like you want to launch your environment inside a VPC so the VPC controls access.

However, if you still just want to use security groups:

1, but assign it to the Beanstalk environment, not the ELB.

You can tell an Elastic Beanstalk Environment to use an already existing Security Group. EB will still create the default Security group, but it will ALSO use your created security group.

You can edit this in the console: Environment -> Configuration -> Instances. But make sure to add your security group to the comma separated list. Don't remove the one already there.