Automatically add a range of IP in security group in AWS

Question

My RDS instance is configured to only accept connections from EC2 Security group. I connect my SQL client via SSH.

This is OK, but now, I have an external service that also need to connect DB.

This services tells me that he will use this range of IP: https://ip-ranges.amazonaws.com/ip-ranges.json

So, I must whitelist it in my RDS Security Group.

My question: How can I add this json to my SG automatically.

Thanks

Answer 1

There is no automated way to apply that set of IP ranges automatically. You'll need to parse it and apply the ranges yourself. Use your favourite tool of choice (bash, python, c#, manually).

However, the JSON file he gave you is the IP ranges for all of AWS in all regions.

If your external service could tell you which regions they use, you can reduce that list significantly.

For example, if you can reduce it to just Virginia region (us-east-1), then there are 187 IP blocks to apply.

By default, security groups have a limit of 50 rules. There's a limit of 5 network security groups per network interface. So basically you're looking at a hard limit of 250 rules.

If you want, you can contact AWS support and they can adjust the rule-per-security-group limit to 250 by decreasing the security-groups-per-network-interface limit to 1. Or you can spread up to 250 rules over 5 security groups.

Source: Amazon VPC Limits

If you need more than 250 rules, you'll need to setup a proxy with 2+ public IP addresses to accommodate the extra security groups required.

Additional Note:

Applying all of these IP ranges would allow anyone to connect to your RDS instance from an AWS instance. This may be too wide a security hole to open.

Answer 2

You can setup a lambda function to do this for you. Here is a script example in python from AWS labs that does it for an ELB security group and the cloudfront ip address range.

https://github.com/awslabs/aws-cloudfront-samples/tree/master/update_security_groups_lambda