Using static IP addresses with ALB

At KeyCore we recently had a customer case, that might be of interest to others, that are dealing with firewalls or security departments, that can’t or won’t open for access to DNS host names, but only deal in IP addresses.

This makes it hard to use services such as the Application Load Balancer (ALB) and API Gateway, since these have endpoints that sometimes change IP addresses. This is rather troublesome, but at least for the ALB case there are a couple of official workarounds from AWS.

Solution 1

The first solution is pretty simple, since you can contact AWS support and ask them to assign a range of static IP addresses to your ALB. AWS does not advertise this, and they will want you to provide them with an estimate for how much traffic you are expecting. This is required because AWS will assign a suitable pool op IP addresses to your ALB, since it will not be able to scale indefinitely in this setup, as it normally does, since the IP range have been restricted.


Solution 2

This solution is somewhat more complicated, an involves setting up a Network Load Balancer (NLB) in front of ALB, since the NLB have stable IP addresses. That means the target groups of the NLB, becomes the ALB IP addresses. Since these change over time, the target group needs to be updated continuously, so a Lambda function is needed to update the target group IPs every so often, with the result of looking up the ALB DNS names IP addresses. To do this you can use a Cloudwatch timer event.


It looks something like the picture below.


One thing that does not work in this setup unfortunately, is the correct setting of the X-forward-for header. You would expect or hope it to be set to the IP of the actual calling client, but unfortunately it gets reset to the NLB’s IP address.

Besides this caveat, the setup works. Though if you have your ALB listening on more than one port, ie. 80 and 443, you will of course need more target groups, and also a lambda per port, or you can modify the lambda to update more than one target group at a time.

The link to the AWS article with code and detailed instructions for this setup can be found here:

Comments are closed.