stackoom
  简体   繁体   中英

How to whitelist a large list of IP addresses on AWS EC2 instances?

 原文  2022-06-21 12:19:12       amazon-web-services/ amazon-ec2/ aws-security-group/ whitelist/ amazon-waf

Question

I have a large list of IPs (>100) that need to be whitelisted for both inbound and outbound communication on EC2 instances. Is there a way to whitelist them collectively? (The IPs also don't belong to a range and are discontinuous). We are currenlty using security groups for whitelisting IPs, but I couldn't find an easy way to whitelist a large collection of IPs.

PS- I tried exploring IP sets in AWS WAF, but it requires setting up an application load balancer, additionally since we are already using security groups, blocking IPs at the application layer (via WAF) will also block IPs that are already whitelisted at the EC2 level.

Thanks in Advance!

6 answers

solution1
 0  2022-06-21 12:30:27

For an EC2 port access the best option you got is security groups. But you better use IaC to manage this such as Terraform or CloudFormation - it will help you to better manage the IP list and save them all in one file.

Here is a reference for Terraform: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group

solution2
 0  2022-06-21 14:53:06

You can use managed prefix lists which allows you to make it easier to configure and maintain your security groups.

Keep in mind that every entry in the prefix list count as a rule in your SG, so probably you will need to request an increase of the default quota (60 inbound and 60 outbound rules per security group).

solution3
 0  2022-06-24 13:34:58

Another easy option is you maintain a csv file to store IP addresses and use a python script to update your security group. Since working with Excel/csv files are more popular you can easily find python scripts to read csv files and the use boto3 to update your security group.

solution4
 0  2022-06-24 14:35:21

Maintaining the whitelisted IPs in a Security group, which is the best option I believe , you don't need for both inbound and outbound. Since Security group is stateful, you need to mention whitelisted IPs in inbound rule only. ( You may have different use case for outbound, which I am not sure )

However, I think the best way to handle it via an automation. You can create a Dynamodb table with different rule entries, enable dynamodb stream, any change triggers a Lambda which inturn creates/amends security group associated with the EC2.

solution5
 0  2022-06-25 15:30:41

You can use IP prefix list to simplify your design and use it where required.

You can use below link for more info.

https://aws.amazon.com/about-aws/whats-new/2020/06/amazon-virtual-private-cloud-customers-use-prefix-lists-simplify-configuration-security-groups-route-tables/

https://aws.amazon.com/blogs/networking-and-content-delivery/simplify-network-routing-and-security-administration-with-vpc-prefix-lists/

solution6
 0  2023-01-06 05:37:45

I know it's pretty late but you can allow all IPs on your security group and inside your ec2 machine if it's Linux based then set iptables to explicitly allow those ip addresses and block anything else.

iptables -A INPUT -s ip1,ip2,ip3 -j ACCEPT
iptables -A INPUT -s 0.0.0.0/0 -d ip2 -j DROP

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question AWS cli: How to stop instances and start EC2 instances aws cli: EC2: get the state of list of instances How to prevent Rails 6 from blocking my AWS EC2 instances? AWS EC2 - Developer dynamic ip permission Is it possible to limit bandwidth of aws ec2 instances? About Kubernetes cluster in AWS EC2 instances How to send data between 2 EC2 instances How to monitor EC2 instances by memory? How do I login to AWS EC2 with only a public ip address, username, and password? What's the difference between regular and ml AWS EC2 instances?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM