You do care about security. And also your organization does.
This is why you system admin doesn't allow ANY traffic from the organization network to the internet. Except the traffic implicitly needed for organization ongoing activity. It is also possible that your organization consumes some service, which is not free and you pay for each request you make. In this case only relevant services/users/workstations should be allowed to access specific IPs from specific workstations.
Usually, you want to access AWS endpoint that is exposed as CloudFront, API Gateway or ELB. So you want to add to your organization whitelist the IP of this service. But there is a problem. The IP is not static. It changes in the non predictable way. So how would you whitelist the IP?
There are 2 options to do it.
1. Use Network Load Balancer (NLB). NLB is layer 4 load balancer which is part of the AWS ELB (Elastic Load Balancer) services. We are talking about it because you can set a static IP for each availability zone NLB is balancing.
When creating NLB you can choose to get the static IP from the AWS pool or from Elastic IP
 |
AWS Elastic IP is a static IP that you can create through AWS console (or CLI). Note that Elastic IP costs extra money.
But what happens if my solution has ALB (Application Load Balancer) and not NLB?
Not a problem. ALB can be set as a target for NLB
But Elastic IP is assigned randomly. It means you can get one IP like 3.3.3.3 and another one like 172.45.3.5.
Organization don't like random IPS. They do like ranges of IPs. Like 172.45.3.5-172.45.3.8.
So how would you get a proper range.
One option is to ask AWS to create such a range. You need to open the support case about network request and AWS will take care about the rest,
Second option is to bring your own IP (BYOIP). Yes, AWS allows you to migrate your range of IPs to AWS.
See this to learn how to do it.
2. Use AWS Global Accelerator. This service provides an entry point to the AWS private network. Using AWS private network vs using internet provides much less latency and speeds the performance of you application.
The advantage of Global Accelerator is our use case is the ability to work with ALB
Global Accelerator gets 2 static IP addresses. If you want the range of IPs, there is no option to get such a range from AWS, But you can get it from BYOIP. If this case you still need to bring the IP to AWS following the link I provided above and choose to use them, when you are about to create the Global Accelerator.
The architecture diagram looks almost the same
