用于AWS服务的AWS私有子网安全组出口白名单?
[英]AWS private subnet security group egress whitelist for AWS services?
问题描述
I have some EC2 instances in a private subnet that need to access DynamoDB and KMS. 
我在私有子网中有一些需要访问DynamoDB和KMS的EC2实例。 Since VPC endpoints do not support either of these at this time, I will need to grant internet access via a NAT gateway. 由于此时VPC端点不支持这两种端点,因此我需要通过NAT网关授予Internet访问权限。
I want to restrict the security group egress rules to only these 2 services, but the only info I have found to date is @ http://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html 我想将安全组出口规则限制为仅这两项服务,但我迄今发现的唯一信息是@ http://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges。 HTML
Has anyone else been able to restrict the security group egress rules to just include AWS services ? 是否有其他人能够将安全组出口规则限制为仅包含AWS服务?
From what I can see the EC2 service entries are a subset of the AMAZON service entries so I'm guessing if I were to include all the CIDR blocks that do not exist in the EC2 list that would leave me with all the other AWS service IPs ? 从我所看到的EC2服务条目是AMAZON服务条目的子集,所以我猜测我是否要包含EC2列表中不存在的所有CIDR块,这些块将留给我所有其他AWS服务IP ?
I know these are dynamic and would therefore need to subscribe and handle updates. 我知道这些是动态的,因此需要订阅和处理更新。
Thanks in advance 提前致谢
Pat 拍
1 个解决方案
解决方案1
1 2016-04-04 14:10:28
One option is to use the AWS service DNS names (for example dyanamodb.amazonaws.com) in the security group but SG doesn't allow it. 一种选择是在安全组中使用AWS服务DNS名称(例如dyanamodb.amazonaws.com),但SG不允许。 So you have 2 options: 所以你有两个选择:
Allow all outbound access
允许所有出站访问 Use a proxy like
squidproxy.使用像squid代理这样的代理。 Add a route to your private subnet to route the internet traffic to the proxy and the proxy is connected to the internet through NAT.添加到您的私有子网的路由以将Internet流量路由到代理,并且代理通过NAT连接到Internet。 In the proxy you can add rules to allow traffic only to the desired services and an explicit DENY for all other traffic 在代理中,您可以添加规则以仅允许流量到期望的服务,并允许显式拒绝所有其他流量
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.