I have a situation when some DDOS attacks are putting my PHP server down. Occasionally.
I'm using AWS with auto scaling groups, so it is not a problem.
The problems start when this server is going down in the middle of the cron job scheduled PHP script.
So my idea was to block all of the routs on the PHP servers except for the /healthcheck
...
How can I do that and is there a better solution?
How about running your cron jobs on a dedicated small instance or on Fargate container outside of the ASG? The cron-instance doesn’t have to run all the time, simply start it up just before you want to run the job and shut down after it’s done. That’s how I would do it rather then hoping that the instance won’t go down half way through the cron job.
Hope that helps :)
How about DDOS protection instead? AWS should block the worst of it with AWS Shield, and you can pay for Shield Advanced if you want more protection. AWS WAF might be of some use, rate limiting and rules for rejecting traffic. Make sure you're using Route53 for DNS, CloudFront, and ALB for Shield to work best.
Alternately, put CloudFlare in front of your ALB. They have free and reasonably priced plans that work well for DDOS protection.
To solve the problem in the way you requested, MLu's suggestion of running the batch job on temporary compute is a good idea. Lambda could also work, depending on the nature and length of the job - if it can be parallel have one lambda start as many in parallel as you need.