<!doctype html>

AWS ALB to Protect Instances with Public IPs (Elaborated)

If your EC2 instances have public IPs, an AWS Application Load Balancer (ALB) can help
— but the strongest security improvement is using the ALB to eliminate direct internet reachability
to those instances.

1) Best-Practice Architecture: Public ALB, Private Instances

• ALB: internet-facing, deployed in public subnets
• Targets (EC2/ECS/EKS): deployed in private subnets, no public IPs
• Security Groups:
  • ALB SG: allow 443 (and optionally 80 for redirect) from approved sources
  • Instance SG: allow app port(s) only from the ALB SG

Protection You Gain

• No direct scanning/exploitation of instances from the internet (instances are not reachable)
• Centralized TLS termination (ACM certs, modern cipher policies, redirects)
• Single ingress choke-point for WAF, routing rules, and logging
• Health checks reduce exposure to unhealthy nodes

2) If Instances Already Have Public IPs: How ALB Still Helps

You can still place an ALB in front of instances that have public IPs, but you must ensure those instances are
not directly reachable by tightening security groups.

Pattern: “ALB in Front, Public IPs Exist but Are Useless”

• Keep public IPs on instances (not ideal, but sometimes required temporarily)
• Instance SG inbound rules:
  • Remove inbound from 0.0.0.0/0 (and ::/0) to app ports
  • Allow app port(s) only from the ALB Security Group
• Administrative access: do not expose SSH/RDP to the internet. Use:
  • AWS Systems Manager Session Manager (preferred)
  • or a bastion host with strict IP allowlist
  • or VPN/Direct Connect

3) What ALB Protects You From (and Enables)

3.1 Architectural Protection: Remove Direct Exposure

• Forces a single entry point (ALB)
• Reduces attack surface by preventing direct-to-instance traffic

3.2 TLS Termination & Policy Enforcement

• Centralized certificate management with AWS Certificate Manager (ACM)
• HTTP to HTTPS redirects
• Consistent TLS policies across apps

3.3 Attach AWS WAF to ALB

WAF is usually where “web protection” lives (not the ALB alone).

• Managed rule groups (OWASP-style, known patterns and bots)
• Rate limiting / throttling
• Geo restrictions / allowlists
• Custom rules for paths, headers, payload patterns

3.4 Observability & Audit Trails

• ALB access logs to S3
• CloudWatch metrics (4xx/5xx, target response time)
• Centralized view of traffic and anomalies (especially with WAF logs)

3.5 Safer Deployments

• Health checks and target group routing
• Blue/green and canary releases via weighted target groups

4) What ALB Does NOT Protect You From

5) Recommended Secure Internet Application Stack

• CloudFront (optional but strong) → WAF → ALB → Private compute
• Instances: no public IPs
• Admin access: SSM Session Manager
• Centralized logging: CloudTrail, ALB/WAF logs → S3 (with retention/immutability controls)

6) Quick Checklist

• EC2 targets in private subnets with no public IPs
• Instance SG inbound allows app ports only from ALB SG
• No SSH/RDP from the internet; use SSM or VPN/bastion
• Attach AWS WAF to ALB (or CloudFront)
• Enable ALB access logs (and WAF logs if used)
• Enforce HTTPS (redirect + hardened TLS policy)

7) Example Security Group Intent (Conceptual)

ALB Security Group (Inbound)
- TCP 443 from approved sources (0.0.0.0/0 or stricter allowlist)
- TCP 80 optional (redirect to 443)

Instance Security Group (Inbound)
- App Port (e.g., TCP 80/443/8080) ONLY from ALB Security Group
- Admin ports: NONE from internet (use SSM/VPN/Bastion)

Outbound (Both)
- As required (prefer least privilege; consider egress controls/proxy)