PATTERN Cited by 1 source

Default-closed ALB routing¶

Intent¶

Configure an Application Load Balancer's default listener action to return a fixed error response (typically 403 Forbidden), then add explicit rules for each allowed path. Traffic to any unlisted path is rejected at the load-balancer layer — it never reaches the backend application.

Motivation¶

Standard ALB configuration forwards all unmatched traffic to a default target group. This means the backend must handle (and reject) requests to paths it never intended to expose — debug endpoints, admin interfaces, or internal APIs that happen to be listening. A single misconfiguration exposes them publicly.

Default-closed routing inverts the model: the backend is unreachable by default; paths must be explicitly promoted to the listener-rule allowlist before they become routable.

Structure¶

ALB Listener (port 443):
  Rule 1:   path = /healthcheck       → Target Group (app:7350)
  Rule 2:   path = /v2/account/auth/* → Target Group (app:7350)
  Rule 10:  path = /v2/*             → Target Group (app:7350)
  Rule 11:  path = /v1/*             → Target Group (app:7350)
  Default:  path = *                 → Fixed Response: 403

Key properties¶

Reduced attack surface: scanners probing arbitrary paths get a fixed 403 from the ALB, never an error from the application. No information leakage about backend technology stack.
Decoupled from application code: the allowlist lives in infrastructure (Terraform / CloudFormation / CDK), reviewed by the platform team. Application developers don't need to remember to block paths.
Composable with WAF: AWS WAF rules (rate limiting, geo-blocking, managed rule groups) apply before the ALB listener rules — two layers of filtering before backend is reached.

Canonical instance¶

The 2026-06-29 AWS dual-token authentication reference architecture for Nakama game servers uses default-closed ALB routing with four explicit path rules. The default 403 means a misconfigured client or a scanner never reaches the game server.

(Source: sources/2026-06-29-aws-dual-token-authentication-for-nakama-game-servers)

concepts/default-closed-routing — the general concept
patterns/alb-path-routing-per-tenant — per-tenant routing on ALB (different shape: multiple target groups, not a deny-all default)
concepts/egress-sni-filtering — same default-deny principle in the outbound direction

Seen in¶

sources/2026-06-29-aws-dual-token-authentication-for-nakama-game-servers — Nakama game server behind ALB