有没有办法在AWS RDS实例上设置静态IP?
[英]Is there a way to set a static IP on an AWS RDS Instance?
问题描述
So for a project that I am working on at my office, I have a .NET application that will be storing and retrieving data to/from an AWS RDS MySQL Server that I have setup. 
因此,对于我在办公室正在进行的一个项目,我有一个.NET应用程序,该应用程序将向已设置的AWS RDS MySQL服务器存储数据并从中检索数据。 The problem that I have run into is that port 3306 is not open on the work network. 我遇到的问题是工作网络上的端口3306未打开。
I have reached out to my networking department to see what they can do about opening this port. 我已经联系我的网络部门,看看他们可以如何打开此端口。 They asked me if there was a way to set a static IP to this AWS RDS Instance. 他们问我是否有办法为此AWS RDS实例设置静态IP。 They only want to open the port based on the server's IP address rather than open the port 3306 completely for security reasons they say. 他们说,出于安全考虑,他们只想基于服务器的IP地址打开端口,而不是完全打开端口3306 。 After some research, I have seen that it is possible to set an elastic IP (similar to static IP?) on an AWS EC2 instance but I am curious about setting a static IP on an AWS RDS Instance. 经过研究,我发现可以在AWS EC2实例上设置弹性IP(类似于静态IP?),但我很好奇在AWS RDS实例上设置静态IP。 I did not see anywhere on the AWS Dashboard about setting a static IP for my RDS Instance. 我没有在AWS仪表板上看到任何有关为RDS实例设置静态IP的信息。 The reason behind the static IP is so that when the IP that is associated with the endpoint DNS that they provide changes, they wont need to adjust the firewall settings to accommodate this change. 静态IP的原因在于,当它们提供的与端点DNS关联的IP发生更改时,他们将无需调整防火墙设置来适应此更改。
- Is it possible to have the port open for only this specific DNS endpoint that AWS provides? 是否可以仅为AWS提供的此特定DNS端点打开端口? If not, is it possible to set an IP to static on the RDS instance? 如果不是,是否可以在RDS实例上将IP设置为静态?
- What sort of security concerns are there if they were to completely open port 3306? 如果要完全打开端口3306,会出现什么样的安全问题?
Thank you! 谢谢!
1 个解决方案
解决方案1
2 已采纳 2017-07-13 00:41:49
You don't need a fixed IP for RDS Instance. RDS实例不需要固定IP。 When you create a RDS instance AWS service defines a URL for your instance. 创建RDS实例时,AWS服务会为您的实例定义一个URL。 This URL is fixed. 该URL是固定的。 Even in case of IP change the URL will still route to the correct instance. 即使发生IP更改,URL仍将路由到正确的实例。
You can tell your IT team to create a firewall rule in port 3306 for the RDS instance URL and it will work fine. 您可以告诉您的IT团队在端口3306中为RDS实例URL创建防火墙规则,它将正常工作。
About the security, the idea is to close the inbound connections on port 3306 to your site. 关于安全性,其想法是关闭端口3306上到您站点的入站连接。 This will restrict anyone trying to connect to your internal instances at the same time that you can connect to all hosts in the internet using this port. 这将限制尝试同时连接到您的内部实例的任何人,您可以使用此端口连接到Internet上的所有主机。 There is no need to close all the outbound connections. 无需关闭所有出站连接。 But... 但...
Is a information security best practice to apply the least privileged access principle. 应用最小特权访问原则的最佳信息安全实践。 This means: only allow what is specificaly needed. 这意味着:只允许特定需要的东西。 If they open the port for all hosts, maybe in the future, someone can discover a new vulnerability and exploit it, because no one in your IT team will remember why was needed to open the port for all hosts. 如果他们为所有主机打开端口,也许将来,有人可以发现一个新漏洞并加以利用,因为您的IT团队中没有人会记住为什么需要为所有主机打开端口。 So.. they keep open only what is needed. 所以..他们只开放需要的东西。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.