I'm creating an internal application load balancer in AWS. I want it to be available/reachable only by SNS and blocking every other request.
I tried looking for the SNS IP's used by AWS (so I can whitelist only those) but there isn't a reliable range.
Is there any way to do this?
PS. I'm using cloudformation
You can subscribe an HTTP Endpoint to an Amazon SNS topic.
You could use a Load Balancer's DNS Name as the endpoint, so messages would be sent to the Load Balancer. The Load Balancer will need to be in a public subnet because Amazon SNS is on the Internet.
You will also need to confirm the subscription via a link that SNS sends to the endpoint. (See Using Amazon SNS for System-to-System Messaging with an HTTP/S Endpoint as a Subscriber)
To "limit" the ability to send traffic to the Load Balancer so that only Amazon SNS can send requests, you can configure a security group on the Load Balancer. However, Amazon SNS is not listed in the ip-ranges.json file in AWS IP Address Ranges, so you won't know which IP addresses to permit as inbound traffic.
You could experiment a bit to see what IP addresses SNS appears to use, then assign a larger CIDR range, but this is not guarantee that you will know all possible IP addresses. Therefore, your only other hope is to not restrict access, but risk the possibility of some other system/person sending traffic to the Load Balancer.
Alternative Design
Instead of sending message from Amazon SNS through the Load Balancer to your application (presumably running on Amazon EC2 instances), you could redesign your application to use an Amazon SQS queue: