Can you prevent routing traffic to an AWS ALB if the host is an IP address and not a domain name?

Bryan Phillips

8/5/23, 9:31 PM

I'm running an ALB on AWS with multiple SSL certificates. The domain name is dynamically handled via the application on EC2. Currently, the ALB will route requests to the IP address of the ALB to the application. Even though the application has an appropriate exception for these queries, this causes unnecessary log entries in all of the request logs and WAF.

My first two thoughts were…

Add a listener rule that blocks IP addresses. Unfortunately, the only way I see to do that is to have a Host header filter on *.*.*.*. That won't work as we could be serving a site for site.group.example.com.
Only forward request to the target group if the Host header matches one of the SSL Certificates attached to the Listener. The problem here is that I can't find any way to execute this kind of rule.

0 + 0

ssl-certificate

amazon-web-services

amazon-alb

Appleoddity

8/6/23, 4:25 AM

What you are describing is NOT how an ALB usually works. You have configured the default rule to forward to the application rather then discard with an http 404. Or, you’ve created a rule that is including these requests. https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html#listener-rules

Tim

8/6/23, 9:14 AM

Are you saying you address the ALB by IP address? The IP address of an ALB changes at random times, such as during maintenance or when it scales in / out. Sending everything from the ALB to the application isn't something I've heard of anyone doing, this should be using domain name / SLI.

Bryan Phillips

8/6/23, 1:03 PM

Thanks. This all makes sense and what I had assumed. I can, and currently do, block those request on the application level. It seems like our only alternative to block it before it gets to the application is to build domain specific rules on the listener for each domain that the application will respond to and then leave a default rule to block everything else. As I have multiple ALBs serving the max number of SSL certs each I was checking for a more automated option. I appreciate the time you took to comment.

Score:0

Server

Bryan Phillips

8/7/23, 3:21 PM

Updating this as answered based on the comments. Essentially, it's an "unask the question" situation since the solution is to list all domain names as filters and have a final default rule that discards the request.

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Can you prevent routing traffic to an AWS ALB if the host is an IP address and not a domain name?

TH: คุณสามารถป้องกันการกำหนดเส้นทางทราฟฟิกไปยัง AWS ALB ได้หรือไม่ หากโฮสต์เป็นที่อยู่ IP ไม่ใช่ชื่อโดเมน

RO: Puteți împiedica rutarea traficului către un AWS ALB dacă gazda este o adresă IP și nu un nume de domeniu?

RU: Можно ли запретить маршрутизацию трафика на AWS ALB, если хост является IP-адресом, а не доменным именем?

VI: Bạn có thể ngăn lưu lượng truy cập định tuyến tới AWS ALB nếu máy chủ lưu trữ là địa chỉ IP chứ không phải tên miền không?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.