I'm attempting to setup an ArcGIS Enterprise environment in a very restricted AWS account. This account only has private subnets, and the environment can only be accessed via the Transit Gateway that connects the internal network to the AWS account.
As part of this setup, I have configured an ALB to redirect 443 requests to corresponding target groups that hold the Portal and Server EC2 instances. A private domain has been created and a 'A' record setup to point to this ALB. However, before it can be made accessible, the client needs to open up their firewall to allow access to the ALB IPs....but the ALB IPs are based on a CIDR block for each AZ (which means that there are 4096 IPs it can use from each AZ). Unfortunately, this is considered to be too many IPs to whitelist, so the request is that an NLB be setup to redirect requests to the ALB, as the NLB can be configured to only use 1-2 static IPs.
Is anyone aware if this is a supported practice? My understanding is that any reverse proxy should be pointing to the Web Adaptor or server directly (like which the ALB currently does), so an NLB-->ALB-->Web Adaptor setup appears to violate this. Some preliminary testing in my own AWS account shows that I can use a NLB to point to the ALB and have ArcGIS Enterprise appear to open without any issues, but I am concerned that there may be underlying problems that don't reveal themselves right away.
Thanks in advance.
