How to securely connect an AWS load balancer to EC2 instances

Here’s the magic sauce to securely allow traffic to your webservers only from your load balancer. Run the following:

ec2-authorize --region REGION -C /path/to/cert.pem -K /path/to/key.pem ELB_NAME -u OWNER_ALIAS -o SOURCE_SECURITY_GROUP

The tricky bits for me were:

  • having to generate an X.509 key and cert just for this purpose (there’s gotta be a way to do that from the web console)
  • OWNER_ALIAS above and in the web console equates to SOURCE-OR-DEST-GROUP-USER in the ec2-authorize(1) manpage.
  • SOURCE_SECURITY_GROUP above and in the web console equates to SOURCE-OR-DEST-GROUP in the ec2-authorize(1) manpage.
  • to remember to include --region

The documentation for same is confusing to someone like me who doesn’t know much AWS security group terminology.

As far as I know, there’s no way to perform, view, or manage this special security setting through the web console.