I created a MySQL instance in AWS RDS and selected the create new security group option which created a new security group as below
Inbound rule created with a specific allowed ip
This allows traffic from only the specified ip. In the public accessibility option I have selected yes.
Now, I am able to connect to this database on my local computer. I am not able to understand the point of this security group inbound rule and where this ip in inbound rule is coming from?
This is your public IP (at least for now). /32 is from CIDR, means that this is only one ip in this network (SG work with CIDT, not just IP).
So, RDS could be accessed only from you IP
Related
My Linux based EC2 instances have both public and private IPs. I am hosting two servers on it:
S3 server, which will be accessible over both internet/private network and
NFS server, which should be accessed only via private IPs/internal network.
I want to open NFS port in the Security Group but only allow the access over the EC2 instances's private IP. I don't think this can be achieved by using only security groups as when the request reaches EC2 node, the Internet Gateway has already replaced the public IP with the private IP of the EC2 instance and the instance is not even aware that there is an extra public IP associated with it.
Instead what can be done is to choose the sources and selectively allow NFS access only to the VPCs and on-premises network (in case there is a VPN connectivity) but that would also mean that every time a new VPC is created OR a new VPN endpoint is established, someone has to modify the Security Group to accommodate new IP addresses.
What I ideally need is a way to apply port and IP based rules on the Internet Gateway which is currently not available/exported. Looking for alternatives.
The simplest method would be to add an Inbound rule to the Security Group where the Source is the CIDR range of the VPC.
For example, if your VPC is 172.31.0.0/16, then use this as the Source in the security group. It would permit any inbound connection from that IP address range.
I've been trying to create and connect to a new DB on AWS for days. I made it publicly accessible.
I've done this but it can't connect:
HOST: vepo-qa-database.xxxxxxx.ap-southeast-2.rds.amazonaws.com
URL: jdbc:postgresql://vepo-qa-database.xxxxxxx.ap-southeast-2.rds.amazonaws.com:5432/
Why will it not connect?
Your Security Group inbound rule configuration is:
Allow Inbound traffic on any port as long as it comes from sg-1fefe550 (itself!)
This means that only resources associated with that same security group can communicate with the database. Therefore, it is blocking access from your own computer on the Internet.
To enable access to the database, you should add another Inbound rule that permits inbound access on port 5432 (PostgreSQL) from your own IP address.
(I'm also not sure why you have configured the security group to permit access from 'itself'. This is not a normal way to configure security groups.)
There is not enough information in your question to be certain, but here are two suggestions:
1 - verify that the subnets for the database actually are public and that there is a route to the IGW
2 - add a rule to the inbound security group rules to allow you to connect to port 5431. Generally you'd want to restrict this to just your IP address for a public instance.
Also, I'm not sure why you have 192.31.0.0 as part of your VPC range - that is a public IP range.
I am trying to understand this statement:
"You can reference AWS Security Groups from other Security Groups."
What exactly does this mean?
This is how I understood this. I created a security group and call it "SG-10" and attached it to an instance "EC2-10". The SG "SG-10" has allow port 443 defined inside it.
Now, I create a security group and call it "SG-20" and attached this to an instance "EC2-20". This also has port 443 allowed. Now, if I call "SG-10" inside "SG-20" does this mean that "EC2-10" will be able to connect to "EC2-20" on port 443.?
Regards,
Nik.
if I call "SG-10" inside "SG-20"
No, you can not call a security group, this does not make any sense.
If a security group A references security group B, it does mean that the instance to which the security group A is attached allows inbound or outbound traffic to another instance to which security group B is attached. But if you want to send traffic form instance with security group A to the instance with security group B, you have to use the IP or the DNS of the instance B.
Usually the reason why we would want to reference a security group instead of an IP, is that the IP might change over time or it is not exposed at all. A fairly common example is having an application load balancer (ALB) and a group of EC2 instances which allow traffic only from the ALB. The IP address of the ALB changes over time, so in order to be able to receive traffic from the ALB, we can reference the security group attached to it.
In we want to reference a security group from another security group, we have to edit the rules of the initial security group:
As an example of referencing security groups, imagine a 3-tier architecture:
A Load Balancer receiving traffic from the Internet and sending requests to an Amazon EC2 instance
An Amazon EC2 instance receiving requests from the Load Balancer and sending queries to an Amazon RDS database
An Amazon RDS database receiving requests from the EC2 instance
This would involve 3 security groups:
A security group on the Load Balancer (LB-SG) that allows incoming traffic on port 80/443.
A security group on the EC2 instance (App-SG) that allows incoming traffic on port 80 only from the load balancer. It does this by setting the source to LB-SG.
A security group on the RDS database (DB-SG) that allows incoming traffic on the relevant port (eg 3306) only from the EC2 instance. It does this by setting the source to App-SG.
All security groups allow All Outbound Traffic.
By referencing other security groups, resources can be added/removed without having to change the security groups. For example, another EC2 instance could be launched and assigned the App-SG security group. This new instance would then be able to communicate with the database since DB-SG allows incoming traffic from App-SG, without being tied to any specific IP addresses.
If a resource is associated with multiple security groups, then all rules apply to the resource. Security Groups only say what is 'Allowed'. They do not include 'Deny' rules.
In your SG-10/SG-20 example, you do not mention the source of the traffic, so it is not possible to answer your question. If you want EC2-20 to accept connections from EC2-10, then the SG-20 security group should allow connections with the Source set to SG-10.
As an aside, I should mention that Network ACLs should normally be left at their default "Allow All" settings unless there is a specific networking requirement (eg creating a DMZ).
I've been burned on this before by trying to connect to an EC2 instance's public address... sounds very similar to your setup. Please check this question: Source Security group isnt working as expected in aws. Actually. When you wire up the inbound rule so that the source is a security group, you must communicate through the source instance's private address.
2 questions on NLB in AWS
I have a requirement to use NLB in front of the EC2 which runs MYSQL. This EC2 is in private network. I just want to allow NLB to be accessed by some particular internet IP. If it's ALB, I can use security group to do this. However, without security group in NLB, how can I achieve this?
In this setup, I connect to NLB from my PC and reach to that MYSQL EC2. To make it success, I find that I have to allow 0.0.0.0/0 in the incoming rule of the EC2 security group instead of just putting my PC IP. I thought my PC IP should be brought to EC2 directly through NLB. Is it not true? I dont want to allow 0.0.0.0/0 in EC2 security group. Is there any better way?
Thanks!
The security group evaluations are performed by the instances security groups for the Network Load Balancer. You would need to add the IP addresses you would like to communicate with the NLB to your instances, as long as your instance is in a private subnet this will prevent any client directly interacting with the host.
Network Load Balancers do not have associated security groups. Therefore, the security groups for your targets must use IP addresses to allow traffic from the load balancer.
More information is available in the Register targets with your target group documentation.
The only way to block the traffic in your case is to have the IPs to which you want to allow access in the EC2 SG.
However you need to account for the fact that there is a difference on the IP address from which the request will come from and thus will be evaluated from the EC2 SG based on how you have configured the target group of the NLB and more specifically on whether you have set up the target type to be instance or ip, as there is a difference in the NLB behaviour.
If the target type is set to instance, the NLB will pass the traffic to your instance as is, and the EC2 SG will see your locap PC public IP address, and if there is a rule to allow it you will be able to connect
If the target type is set to ip, the NLB is doing an NAT, and the EC2 SG will actually see the private IP of the NLB as a source IP for the incoming traffic.
Take a look at the Source IP Preservation in the NLB Target Group documentation.
There is a similar discussion in this question.
I'm trying to create a security group that allows all inbound traffic originating from within my VPC. I thought I could simply specify my CIDR block, but that doesn't seem to work and requests fail unless I create a rule which allows inbound traffic from anywhere.
What's the right way to allow inbound traffic from any EC2 instance within the same VPC?
It will work just fine.
For example, if your VPC is setup with a CIDR range of 10.0.0.0/16, you can create a Security Group with an Inbound rule and a source of 10.0.0.0/16.
That will allow inbound access from any Elastic Network Interface (eg instance, load balancer, RDS instance) within the VPC.
Make sure that you access the target instance via its Internal IP Address. Using its Public IP Address will fail the Security Group check since it is coming from outside the allowed CIDR range.