如何在 AWS EC2 实例上将 IP 地址的大列表列入白名单？

Question

I have a large list of IPs (>100) that need to be whitelisted for both inbound and outbound communication on EC2 instances. Is there a way to whitelist them collectively? (The IPs also don't belong to a range and are discontinuous). We are currenlty using security groups for whitelisting IPs, but I couldn't find an easy way to whitelist a large collection of IPs.

PS- I tried exploring IP sets in AWS WAF, but it requires setting up an application load balancer, additionally since we are already using security groups, blocking IPs at the application layer (via WAF) will also block IPs that are already whitelisted at the EC2 level.

Thanks in Advance!

Answer 1

For an EC2 port access the best option you got is security groups. But you better use IaC to manage this such as Terraform or CloudFormation - it will help you to better manage the IP list and save them all in one file.

Here is a reference for Terraform: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group

Answer 2

You can use managed prefix lists which allows you to make it easier to configure and maintain your security groups.

Keep in mind that every entry in the prefix list count as a rule in your SG, so probably you will need to request an increase of the default quota (60 inbound and 60 outbound rules per security group).

Answer 3

Another easy option is you maintain a csv file to store IP addresses and use a python script to update your security group. Since working with Excel/csv files are more popular you can easily find python scripts to read csv files and the use boto3 to update your security group.

Answer 4

Maintaining the whitelisted IPs in a Security group, which is the best option I believe , you don't need for both inbound and outbound. Since Security group is stateful, you need to mention whitelisted IPs in inbound rule only. ( You may have different use case for outbound, which I am not sure )

However, I think the best way to handle it via an automation. You can create a Dynamodb table with different rule entries, enable dynamodb stream, any change triggers a Lambda which inturn creates/amends security group associated with the EC2.

Answer 5

You can use IP prefix list to simplify your design and use it where required.

You can use below link for more info.

https://aws.amazon.com/about-aws/whats-new/2020/06/amazon-virtual-private-cloud-customers-use-prefix-lists-simplify-configuration-security-groups-route-tables/

https://aws.amazon.com/blogs/networking-and-content-delivery/simplify-network-routing-and-security-administration-with-vpc-prefix-lists/

Answer 6

I know it's pretty late but you can allow all IPs on your security group and inside your ec2 machine if it's Linux based then set iptables to explicitly allow those ip addresses and block anything else.

iptables -A INPUT -s ip1,ip2,ip3 -j ACCEPT
iptables -A INPUT -s 0.0.0.0/0 -d ip2 -j DROP