Is it possible to restrict internet gateway from 0.0.0.0/0 to why own IP address i.e 119.11.111.11/32.
I want to restrict it to my IP address and then have the NAT Gateway to point to my IP address 119.11.122.11/32.
The reason is to make it more secure and to make sure all requests are going to and from my IP address.
I would like to know if anyone has done it and it still works. i have tried on my aws account and it has not worked.
thank you
If you want resources in an Amazon VPC to only be accessible to your own IP address, then you should configure the Security Groups on your resources.
By default, security groups block all incoming traffic. You can add Inbound rules to allow traffic from your IP address on the desired ports.
A security group for a NAT Gateway normally allows:
No inbound traffic
All outbound traffic (so that your private resources can access the Internet)
Related
My Linux based EC2 instances have both public and private IPs. I am hosting two servers on it:
S3 server, which will be accessible over both internet/private network and
NFS server, which should be accessed only via private IPs/internal network.
I want to open NFS port in the Security Group but only allow the access over the EC2 instances's private IP. I don't think this can be achieved by using only security groups as when the request reaches EC2 node, the Internet Gateway has already replaced the public IP with the private IP of the EC2 instance and the instance is not even aware that there is an extra public IP associated with it.
Instead what can be done is to choose the sources and selectively allow NFS access only to the VPCs and on-premises network (in case there is a VPN connectivity) but that would also mean that every time a new VPC is created OR a new VPN endpoint is established, someone has to modify the Security Group to accommodate new IP addresses.
What I ideally need is a way to apply port and IP based rules on the Internet Gateway which is currently not available/exported. Looking for alternatives.
The simplest method would be to add an Inbound rule to the Security Group where the Source is the CIDR range of the VPC.
For example, if your VPC is 172.31.0.0/16, then use this as the Source in the security group. It would permit any inbound connection from that IP address range.
2 questions on NLB in AWS
I have a requirement to use NLB in front of the EC2 which runs MYSQL. This EC2 is in private network. I just want to allow NLB to be accessed by some particular internet IP. If it's ALB, I can use security group to do this. However, without security group in NLB, how can I achieve this?
In this setup, I connect to NLB from my PC and reach to that MYSQL EC2. To make it success, I find that I have to allow 0.0.0.0/0 in the incoming rule of the EC2 security group instead of just putting my PC IP. I thought my PC IP should be brought to EC2 directly through NLB. Is it not true? I dont want to allow 0.0.0.0/0 in EC2 security group. Is there any better way?
Thanks!
The security group evaluations are performed by the instances security groups for the Network Load Balancer. You would need to add the IP addresses you would like to communicate with the NLB to your instances, as long as your instance is in a private subnet this will prevent any client directly interacting with the host.
Network Load Balancers do not have associated security groups. Therefore, the security groups for your targets must use IP addresses to allow traffic from the load balancer.
More information is available in the Register targets with your target group documentation.
The only way to block the traffic in your case is to have the IPs to which you want to allow access in the EC2 SG.
However you need to account for the fact that there is a difference on the IP address from which the request will come from and thus will be evaluated from the EC2 SG based on how you have configured the target group of the NLB and more specifically on whether you have set up the target type to be instance or ip, as there is a difference in the NLB behaviour.
If the target type is set to instance, the NLB will pass the traffic to your instance as is, and the EC2 SG will see your locap PC public IP address, and if there is a rule to allow it you will be able to connect
If the target type is set to ip, the NLB is doing an NAT, and the EC2 SG will actually see the private IP of the NLB as a source IP for the incoming traffic.
Take a look at the Source IP Preservation in the NLB Target Group documentation.
There is a similar discussion in this question.
I have a service running on the port 8080 of an EC2 machine in a private subnet. My plan is to establish a VpcLink to the private endpoint using a Network load balancer. Now the network load balancer cannot associate a security group of its own, instead the target security group will come into action here (in this case the security group of the EC2 where my service is running). I am a little confused over how does the security group of the ec2 machine looks like. I need to add a custom TCP rule which will allow traffic to port 8080, but I am confused over what IP range I can give in the source. The API gateway has no IP. Also, it is saying that
Recommended Rules
Inbound Source Port Range Comment
Client IP addresses instance listener Allow traffic from clients on the instance listener port
VPC CIDR health check Allow traffic from the load balancer on the health check port
Based on the comments and from the docs:
Network Load Balancers do not have associated security groups. Therefore, the security groups for your targets must use IP addresses to allow traffic from the load balancer.
If you register targets by IP address and do not want to grant access to the entire VPC CIDR, you can grant access to the private IP addresses used by the load balancer nodes.
Thus, for NLB you either use CIDR range of the subnet where NLB is. Or to be more restrictive you using NLB private addresses. For the IP addresses, you can't get them from CloudFormation. Would have to write custom resources in the CloudFormation to get the IPs from NLB. As a compromise, you could put your NLB in a dedicated subnet, or the same one as instances, and used its CIDR range.
I have a server running on ec2 but I cant connect to the localhost 8085. Any suggestions ?
Check to make sure your setup has the following:
There is an elastic IP attached to the instance, or it has a public IP address.
The security group allows incoming traffic on the correct port.
The network ACL of the subnet that allow for the needed inbound and outbound traffic, or you're using the non-existent/default ACLs, which allow all inbound/outbound traffic.
An Internet Gateway is in the same VPC as the instance.
There is a rule in the subnet's route table that sends internet-bound traffic to the Internet Gateway.
You may also find this AWS article helpful for using the Internet Gateway in your VPC.
I have 2 AWS instances, i-1 and i-2. They are each on a different security group: sg-1 and sg-2, respectively. Both machines have elastic IPs.
sg-2 is configured to allow all traffic from sg-1, regardless of port, source IP or protocol.
When i-1 tries to talk to i-2 its traffic is being blocked. It seems AWS doesn't account for the fact that i-1's traffic is actually coming from its elastic IP.
Is this expected? Is there anything I can do to work around it, apart from manually adding i-1's elastic IP to sg-2?
sg-2 is configured to allow all traffic from sg-1
When you do this, only traffic from Private IP address is allowed. However, as you as using EIP, you explicitly need to allow traffic from that ip address.
Read this: https://forums.aws.amazon.com/thread.jspa?messageID=414060
Quoting from above link:
Out of curiosity, are you perhaps connecting using a public IP address? When you use a rule with a security group as the source, it will only match when connecting over the internal network. The private IP address can change though. If you have an Elastic IP associated with the instance, the public DNS name happens to be static and will always resolve to the current private IP address when used from within the same EC2 region. That allows you to easily connect internally without worrying about any address changes.
You haven't really provided enough information to diagnose the problem, but there are a few things to check:
Is I-1 definitely in SG-1? If you've got the instances muddled, the SG rules would be around the wrong way.
Does the machine in SG-2 have a firewall running that might be blocking incoming traffic even though the SG rules are allowing it?
You've tagged this with the VPC tag - do you have any network ACL settings that might be preventing traffic flow? Are the machines private, using a NAT appliance to get out to the Internet, or public, routing through the standard AWS gateway? Can I-1 see the Internet? If you're routing through a NAT, assigning an EIP to a machine effectively cuts it off from the Internet because EIP and NAT are mutually incompatible, and although I haven't tried it this might also screw up SG routing.
Does SG-1 have any egress rules that might be preventing traffic from leaving?
The answer to your question is likely to be found in the resolution of one of these questions if the answer to any of them is 'Yes'.
As previously stated by slayedbylucifer, you will need to explicitly allow traffic from the EIP.
Here's the reasoning from the official AWS documentation about Security Groups:
When you specify a security group as the source for a rule, traffic is allowed from the network interfaces that are associated with the source security group for the specified protocol and port. Incoming traffic is allowed based on the private IP addresses of the network interfaces that are associated with the source security group (and not the public IP or Elastic IP addresses).