stackoom
  简体   繁体   中英

How do I restrict RethinkDB access to a specific application?

 原文  2016-09-15 12:53:39       security/ amazon-web-services/ elastic-beanstalk/ rethinkdb

Question

I have an elastic beanstalk app that uses a rethink-db instance as its database. The obvious thing to do would be to restrict access to the the database to only this application.

But if I set the relevant port in the security group of the Rethinkdb instance to anything other than 0.0.0.0, the application can't reach the DB.

The application is using the private DNS of the database for resolution and is in the same amazon region... as far as I understand, this alone should already get me passt the security group without any rules. Not in this case, apparently.

I have tried adding an exception for the applications security group to the databases security group on that port, as well as the security group of the load balancer of the application. I have also tried both at the same time. No dice.

The beanstalk-app is scalable, so it usually communicates from several instances that can change at a whim. Going over an elastic IP and allowing that in the databases security group is therefore not an option, unfortunately.

In the end, I'm forced to leave the security group of the rethink db on the driver port wide open at 0.0.0.0... Anything else I've tried made it unreachable for my own application.

Can anybody tell me what I'm doing wrong?

1 answers

solution1
 1 ACCPTED  2016-09-15 13:02:58

as far as I understand, this alone should already get me passt the security group without any rules

That's not correct. You always have to have a security group rule to allow access. All inbound traffic is blocked by default.

I have tried adding an exception for the applications security group to the databases security group on that port

That sounds like exactly what you need to do. You need to create an inbound rule in the security group assigned to the database server. In that rule you would specify the ID of the security group that the Elastic Beanstalk instances belong to.

If that isn't working, then you might need to post more information in your question, like the actual security group settings.

Also, you need to make sure your EB instances are trying to connect to the database server via the private IP of the DB server. Your issue sounds like maybe they are using the public IP of the DB server. I know you said they are using the private DNS of the DB server, but you need to make certain that is the case, and make certain that DNS is correctly resolving to the private IP, when referenced from the EB instances.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How can I restrict access to an application that I do not control only via another referrer application? Restrict web application access by specific devices How can I restrict the access to a static file to a specific logged in user? How do I restrict URLs to a specific wireless network? How do I restrict access to sys_context in Oracle? How do I restrict a Java application from closing? Can I restrict website access to specific computers? How to HIGHLY restrict users with “specific roles” to access the application from “a certain place”? How to restrict the access to a folder to users in specific roles How can I restrict access to an unmanaged dll to only a specific 3rd party (denying access to all others)?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM