Providing a static IP for resources behind AWS Elastic Load Balancer (ELB)

I need a static IP address that handles SSL traffic from a known source (a partner). The reason the IP needs to be static is that the partner requires this in order to maintain the PCI compliance.

Our servers are behind an AWS Elastic Load Balancer (ELB), which cannot provide a static IP address; many threads about this here.

My thought is to create an instance in EC2 whose sole purpose in life is to be a reverse proxy server having it’s own IP address; accepting HTTPS requests and forwarding them to the load balancer.

Are there better solutions?

In the end, I implemented the requirement of our partner as follows:

• launch an instance in AWS
• allocate and attach an Elastic IP (EIP) to it
• Installed Apache
• (in our case, installed our SSL certificate)
• Configured Apache as a reverse proxy server, forwarding to a CNAME that pointed to our ELB

Here’s a sample Apache virtual host configuration. I turned off NameVirtualHost and specified the address of our EIP. I also disabled a default host. If the partner desires, I will add a <Directory> block that accepts requests only from their IP range.

<IfModule mod_ssl.c>
# Catch non-SSL requests and redirect to SSL
<VirtualHost 12.34.567.890:80>
  ServerName our-static-ip-a-record.example.com
  Redirect / https://our-elb-cname.example.com       
</VirtualHost>
# Handle SSL requests on the static IP
<VirtualHost 12.34.567.890:443>
  ServerAdmin monitor@example.com
  ServerName our-static-ip-a-record.example.com  # SSL Configuration
  SSLEngine on
  SSLProxyEngine on
  SSLProxyCACertificateFile /etc/apache2/ssl/gd_bundle.crt
  SSLCertificateFile    /etc/apache2/ssl/example.com.crt    
  SSLCertificateKeyFile /etc/apache2/ssl/private.key
  # Additional defaults, e.g. ciphers, defined in apache's ssl.conf  # Where the magic happens
  ProxyPass / https://our-elb-cname.example.com/
  ProxyPassReverse / https://our-elb-cname.example.com/  # Might want this on; sets X-Forwarded-For and other useful headers
  ProxyVia off  # This came from an example I found online, handles broken connections from IE
  BrowserMatch "MSIE [2-6]" \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0
  # MSIE 7 and newer should be able to use keepalive
  BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>

Hope this saves someone else some time in the future

Check more discussion of this question.