amazon web services - Limiting access of EC2 app to our developer's IPs without using security groups

Question

On AWS, our EC2 container hosts an app that runs both a backend and frontend server. The frontend server is our customer facing app that we want open to the public, and our backend server hosts the admin panel that should be accessible from the web by ONLY the admins and devs.

Normally, we could just create a security group to filter who can access the app. However, doing this would also block users from accessing the frontend app.

We're looking for a solution that can distinguish not only the IP of the user, but also takes into account whether they are trying to access the frontend URL or the backend URL.

Any suggestions? Thanks!

Answer 1

This logic is taking the decision from network layer protection to the application layer instead, you're trying to prevent access based on the URI so features like security groups or NACLs would not work.

Instead the approach to take would be to use a WAF as a protective layer in front of your application.

To do this you would add the developers IPs to an IPSet then apply ordering through a rule group to always allow the request if it comes from these IPs. After this the second rule would evaluate the path of the request and block if it matches a particular pattern. Finally all other requests would be allowed.

The WAF would need to be attached to either an Application Load Balancer or CloudFront as it cannot be directly attached to an EC2 instance.