How can I route requests based on the source IP using an Application Load Balancer?
Last updated: 2020-09-23
I want to perform specific actions on requests based on the source IP address of the request. This might include sending custom responses to specific users, or serving different versions of an application to a certain set of users. How can I do this using an Application Load Balancer?
There are several use cases in which you might want to perform specific actions based on the source IP address of a request. For example, let's say that you have two versions of an application. One version is a public version that's meant for global users. The other is an internal version that includes some extended (beta) features. You might only want the internal version to be available to employees accessing the application from corporate network CIDRs. To accomplish this, and many other similar tasks, you can configure listener rules based on source IP addresses.
Before you begin, keep in mind that a rule based on source IP checks the source IP address in the IP header (layer-3). If there's a proxy or firewall between the client and the Application Load Balancer that changes the source IP address, specify the firewall or proxy's IP address in the listener rule.
Also, avoid using listener rules to block requests from clients. It's a best practice to use security groups or network access control lists instead. To block a large number of clients, you can use AWS WAF.
- Create an Application Load Balancer, if you don't already have one.
- Open the Amazon Elastic Compute Cloud (Amazon EC2) console.
- On the navigation pane, under Load Balancing, choose Load Balancers.
- Select your load balancer.
- Choose the Listeners tab.
- Select your listener, and then choose View/edit rules.
- Choose the Add rules icon (the plus sign), and then choose Insert rule.
- Choose Add condition, and then choose Source IP.
- Specify the IP addresses for which you plan to configure a different action.
Note: You can specify either a single IP address or network CIDRs with prefixes. For example, "220.127.116.11/32" or "10.8.0.0/21".
- Choose Add action, and then select the required action. For example:
Forward – To forward to a different target group. (Such as forwarding to a target group running an internal version of an application.)
Return fixed response – To block specific users or provide custom responses to specific users.
- To save the condition, choose the checkmark icon.
- To save the rule, choose Save.