I have a CloudFront Distribution with WAF(Web Application Firewall) attached to it, to restrict public access.
I also have a fleet of EC2 instances running under an ASG(autoScaling Group) and I wish to whitelist the EC2 instances to access the CloudFront distribution. Is it possible to create such a configuration in my infrastructure?
Please note that the IP addresses of the EC2 instances are not fixed. They are controlled by the ASG attached. Also, the ASG is created in a public subnet.
Any help would be appreciated. Thanks
You would have to trigger some sort of script every time the ASG adds an instance, to add the instance's public IP to the WAF.
I would suggest moving the EC2 instances to private subnets with routes to NAT gateways, then you would only have to whitelist the Elastic-IPs of the NAT Gateway(s).
Related
My production and development application are running on EBS's EC2 instances where I need to attach an elastic IP to each instance. I am able to associate the elastic IPs to each instance but after some time the IPs disassociated automatically due to application load balance which creates a new instance of EC2, I know it's due to Application Loadbalance but I want to know how can I persist the elastic IPs to each instance? I am using third party integration in which I have to send my static IPs to make them whitelisted.
The AWS solution for sending requests to third parties from a fixed IP (or fixed set of IPs) when running in an auto-scaled environment is to create a NAT Gateway in your public subnet (or one in each public subnet), assign Elastic IPs to the NAT Gateways, and place your EC2 instances in private subnets with a route to the NAT Gateway.
In this configuration, all outbound requests will go through the NAT Gateway(s) which will have static (Elastic) IPs that can be whitelisted by third-parties.
I have 3 AWS Elastic Beanstalk instances which are running Spring microservices. All microservices are making POST requests to each other and using RDS service for database.
Should I isolate database traffic and microservices traffic into separate subnets?
In case it's a good practice is it possible to assign 2 private network IP's for each subnet for every AWS Elastic Beanstalk instance?
I think you cannot do it using EBS as the instances will auto create and terminate. So you should try to create instances separately and add autoscaling policy on it.
What I usually do is create my EC2 instances in Public subnet and RDS in private subnet and use RDS Security Group and add EC2 instance's Elastic IP, so that all the traffic is going through the EC2 instance and all the traffic coming to EC2 instance is HTTPS coming from ELB.
Adding the below steps as requested:
Ok, So I am assuming you already know a bit about how to create the servers and RDS etc.
Create an EC2 instance for each of your microservices.
Attach an EIP to each of these instances.
Add an Auto-Scaling policy to increase or decrease the instances based on the traffic/CPU Utilization. Make sure you terminate the newest created instance.
Add an ELB for this instance and add HTTPS/SSL certificate to secure your traffic.
Create RDS in a Private subnet and add instance EIP in RDS SG for 3306 port.
I think you should be able to do this then.
It's not a good practice to directly communicate between instances in EB. The reason is that that EB instances run in autoscalling group. So they can be terminated and replaced at any time by AWS leading to change in their private Ip addresses.
The change in IP will break your application sooner or later. Instances in EB should be accessed using Load Balancer or private IP.
So if you have some instances that are meant for private access only you could separate them to internal EB environment.
I believe that I've successfully setup an EBS instance and RDS instance in a VPC! It is structured like this:
Elastic load balancer: public available to the internet
Elastic instance: in private subnets
RDS instance: in private subnets
What can I do, both in AWS and outside through testing, to verify that my elastic instance is protected in the VPC and my RDS instance is as well?
Thank you so much!
You can verify the following:
ensure that SGs of the instances allow only incoming traffic from the SG of ALB.
ensure that the EB instances are in private subnet, i.e. they don't have public IP.
ensure that RDS has no public IP option enabled and also it is in private subnets.
also ensure that the SG of the RDS allows only incoming connections from the EB instances.
Adding on to #Marcin's comments, I would also do the below to ensure you are following best practises:
Enabling access logs on the ELB to have some sort of logs on who is accessing the ELB. Would definitely help in troubleshooting.
Have your ec2 in ASG.
Create a certificate and terminate the HTTPS connections on ELB or you can pass the HTTPS through and terminate the SSL on the ec2.
Redirect all requests from the http port to https using the redirect feature in ELB.
Now, to answer your question on how to test the security:
try to ssh into your ec2 directly. It should not work as you are only allowing traffic from ELB and your ec2 is in private subnets.
try accessing your RDS. It should not work as it will only allow traffic from EC2 security group
Build a bastion server (a blank ec2) on AWS and try to access the EC2. It should not work as the ec2 should only allow traffic from the ELB security group
using the bastion, try accessing RDS. Same as above, it should not work as it should only allow traffic from ec2 security group.
Thanks for your time in advance. I am pretty new to AWS and trying to setup a cloud facing application processing HTTP / HTTPS requests.
I have a domain-name (example.com) attached to the Elastic Load Balancer (ELB) and my requirement is just to have a ELB attached to a AutoScaling group (ASG) which would have a min-max of 2-5 EC2s. Preferably I would want to place my EC2s created by ASG to be placed in a private subnet.
I was following the solution provided here, but as I understand in step 5, it is for connecting the ELB to existing EC2 instances. But my requirement is to attach it to a ASG and hence cannot connect to specific EC2 instances.
I am focusing on just two AZ for now and created a public and private subnet each in both the AZ. After creating the ELB and attaching it to two public subnets, I proceeded for Launch-Configuration & ASG. I would request some clarification on the implication of the following selections while setting up the LC and ASG.
While creating a Launch Configuration for an ASG, in one of the steps (IP Address Type) I have three options, namely:
(1) Give Public IP to new instances if created in default VPC/SubNet
(2) Always Public IP for new instances
(3) No Public IP for new instances.
Which one of the above should be selected given my requirement?
Additional Questions
When selecting the subnets while creating ASG, should I select both public and private subnets or only public SN or only Private SN ? My guess was Private subnet only as I wanted to place the EC2 in private SN.
If the EC2s created by the ASG will be deployed in Private SN, what else should be present in the public subnet?
Thanks again for your time and guidance.
Update on 6/13
For the questions I had posted above, I went ahead with choices as below:
While creating a Launch Configuration for an ASG, IP Address Type : No Public IP for new instances.
When selecting the subnets while creating ASG : Only Private SN
I placed a NAT Gateway in the public subnet and updated the routing table of Private Subnet to include a route for 0.0.0.0/0 to NAT
Things are working now !!
You can find the AWS document on attaching to an autoscaling group here. You attach the ELB to the ASG, or if its an application load balancer you attach the target group for your ALB to the ASG:
To attach a load balancer to a group
Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
On the navigation pane, under Auto Scaling, choose Auto Scaling
Groups.
Select your group.
On the Details tab, choose Edit.
Do one of the following:
[Classic Load Balancers] For Load Balancers, select your load
balancer.
[Target groups] For Target Groups, select your target group.
Choose Save.
You do no need public IP addresses if your instances will be behind an ELB. You should also launch them in a private subnet. Your ELB will be in public subnets and relay communications to your instances in those private subnets. The ELB will also be assigned a DNS name you alias to a custom DNS name of your own.
From the docs above, you can also attach and detach using the CLI:
To attach a Classic Load Balancer
Use the following attach-load-balancers command to attach the
specified load balancer to your Auto Scaling group:
aws autoscaling attach-load-balancers --auto-scaling-group-name my-asg --load-balancer-names my-lb
To attach to a target group
Use the following attach-load-balancer-target-groups command to attach
the specified target group to your Auto Scaling group:
aws autoscaling attach-load-balancer-target-groups --auto-scaling-group-name my-asg --target-group-arns my-targetgroup-arn
To detach a Classic Load Balancer
Use the following detach-load-balancers command to detach a load
balancer from your Auto Scaling group if you no longer need it:
aws autoscaling detach-load-balancers --auto-scaling-group-name my-asg --load-balancer-names my-lb
To detach a target group
Use the following detach-load-balancer-target-groups command to detach
a target group from your Auto Scaling group if you no longer need it:
aws autoscaling detach-load-balancer-target-groups --auto-scaling-group-name my-asg --target-group-arns my-targetgroup-arn
Looking at AWS docs they lay out a use case for ENIs to create a management network.
So my primary ENI is for public traffic but I create a second ENI for ssh via my private subnet.
But I can just use an ACL to only allow SSH traffic from my company's IP. And if i really want a private VPC I could using a route table for that instead of a second ENI on each instance.
Is there an advantage of 2 ENIs for management network I am missing?
I think you can have the same result with creating a bastion host. Here's the official quickstart: link
You can also attach a security group to the ENI which allows SSH traffic only from a certain subnet.