堆栈内存溢出
  简体   繁体   English

在AWS的安全组中自动添加IP地址范围

[英]Automatically add a range of IP in security group in AWS

 原文  2017-05-19 21:57:21       json/ amazon-web-services/ amazon-ec2/ rds/ aws-security-group

问题描述

My RDS instance is configured to only accept connections from EC2 Security group. 我的RDS实例配置为仅接受来自EC2安全组的连接。 I connect my SQL client via SSH. 我通过SSH连接SQL客户端。

This is OK, but now, I have an external service that also need to connect DB. 可以,但是现在,我有一个外部服务也需要连接数据库。

This services tells me that he will use this range of IP: https://ip-ranges.amazonaws.com/ip-ranges.json 该服务告诉我他将使用以下IP范围: https//ip-ranges.amazonaws.com/ip-ranges.json

So, I must whitelist it in my RDS Security Group. 因此,我必须在RDS安全组中将其列入白名单。

My question: How can I add this json to my SG automatically. 我的问题:如何将此json自动添加到我的SG。

Thanks 谢谢

2 个解决方案

解决方案1
 1  2017-05-19 23:25:32

There is no automated way to apply that set of IP ranges automatically. 没有自动方法来自动应用该IP范围集。 You'll need to parse it and apply the ranges yourself. 您需要解析它并自己应用范围。 Use your favourite tool of choice (bash, python, c#, manually). 使用您喜欢的首选工具(bash,python,c#,手动)。

However, the JSON file he gave you is the IP ranges for all of AWS in all regions. 但是,他提供给您的JSON文件是所有区域中所有AWS的IP范围。

If your external service could tell you which regions they use, you can reduce that list significantly. 如果您的外部服务可以告诉您他们使用的区域,则可以显着减少该列表。

For example, if you can reduce it to just Virginia region (us-east-1), then there are 187 IP blocks to apply. 例如,如果您可以将其减少到仅弗吉尼亚地区(us-east-1),则有187个IP块可应用。

By default, security groups have a limit of 50 rules. 默认情况下,安全组的限制为50个规则。 There's a limit of 5 network security groups per network interface. 每个网络接口最多可以有5个网络安全组。 So basically you're looking at a hard limit of 250 rules. 所以基本上您在看250条规则的硬限制。

If you want, you can contact AWS support and they can adjust the rule-per-security-group limit to 250 by decreasing the security-groups-per-network-interface limit to 1. Or you can spread up to 250 rules over 5 security groups. 如果需要,您可以联系AWS支持人员,他们可以通过将每个网络接口的安全组限制降低到1,来将每个安全组的规则限制为250。或者您可以将最多250条规则分布在5个规则上安全组。

Source: Amazon VPC Limits 来源: Amazon VPC限制

If you need more than 250 rules, you'll need to setup a proxy with 2+ public IP addresses to accommodate the extra security groups required. 如果需要超过250条规则,则需要使用2个以上的公共IP地址设置代理,以容纳所需的额外安全组。

Additional Note: 附加说明:

Applying all of these IP ranges would allow anyone to connect to your RDS instance from an AWS instance. 应用所有这些IP范围将允许任何人从AWS实例连接到您的RDS实例。 This may be too wide a security hole to open. 这可能是一个太大的安全漏洞,无法打开。

解决方案2
 0  2017-05-21 20:27:14

You can setup a lambda function to do this for you. 您可以设置一个lambda函数来为您执行此操作。 Here is a script example in python from AWS labs that does it for an ELB security group and the cloudfront ip address range. 这是AWS实验室的python中的脚本示例,用于ELB安全组和cloudfront ip地址范围。

https://github.com/awslabs/aws-cloudfront-samples/tree/master/update_security_groups_lambda https://github.com/awslabs/aws-cloudfront-samples/tree/master/update_security_groups_lambda

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用jq解析AWS安全组并添加新的入口规则 - Parse AWS security group with jq and add new ingress rule 将 IAM 策略添加到 AWS Secret Manager 以限制 IP 访问的正确语法是什么 - What is the right syntax for an IAM policy to add to AWS Secret Manager to restrict access by IP 使用PHP(Laravel)和MySQL禁止IP,IP范围,DNS或Agend - Ban IP, IP range, DNS or Agend with PHP (Laravel) and MySQL 自动添加自动加载 - Automatically add autoload Jmeter在路径中自动添加“ /” - Jmeter automatically add “/” in the path 使用 IP 地址范围 (JavaScript) 过滤 JSON - Filter JSON using IP Address Range (JavaScript) 节点-解析AWS IP范围并阻止 - Node - Parse AWS IP ranges and block 使用JQ解析AWS CLI输出安全组 - Parse aws cli output security groups with JQ 同一安全组的CidrIp json模板 - CidrIp json template for same security group 网络安全组规则审核 (Azure) - Network Security Group Rule Audit (Azure)
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM