There are 2 possible options to achieve what you want.
If your backend EC2 intances are in a public subnet, you could pre-allocate a pool of Elastic IP addresses and whitelist them with your private resource.
Since your EC2 instances are created by an Auto Scaling group (I assume), you would then have a script that runs on your EC2 instance that would select an Elastic IP address from your pool and associate it with the instance.
A problem occurs if your pool of Elastic IP addresses runs out.
If your EC2 instances are in a private subnet, then you would have all outbound traffic from your EC2 instances go through a NAT.
You would allocate a single Elastic IP address and whitelist that Elastic IP address with your private resource.
If you associate the Elastic IP address with your NAT, then your private resource will see the traffic from all your EC2 instances as originating from the whitelisted IP address.
Since you have the public facing ELB, your backend EC2 instances should be in private subnets for security purposes.
This, along with the extra scripting required for option 1, makes option 2 the preferred choices.
Asked in February 2016Viewed 2,582 timesVoted 6Answered 1 times