AWS EC2 – How to Fix Security Group to Allow Specific IP Address

amazon ec2amazon-web-servicesputty

I can connect to AWS EC2 Instance using PuTTY at my home by laptop. But when I bring the laptop to some cafe that provides free Wifi, it ends up with timeout error.

In order to solve this problem, I need to fix the security group attached to the EC2 instance to allow the connection from the cafe’s public IP.

Here is what I've done.

1.Log into AWS ec2

Search for "VPC" in the search bar at the top
Click on VPC
Click on "security groups" on the left

After that, I have no idea what should I do.
I guess I should register Cafe's IP address to security groups but I don't know
how to do…

Please advise me next step.

Best Answer

When you are at a Cafe and use public wifi, i suggest to use this site to get your correct public IP address.

https://showip.net/

From your Security Group, please follow the below steps:

Edit Inbound rule
Add an ingress rule with SSH/22 and input your /32 (Remember to use /32)
Click "Save"

Reference: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html

At step 2, you can use a button named "My IP" which AWS automatically loads your public IP address.

Related Solutions

How to authorize connections to non-VPC EC2 instances from the instances in a VPC via the igw-xxxx Internet Gateway

In order for the 10.0.0.88 instance to access the Internet (or EC2) via the Internet Gateway (IGW), the instance either needs to have an associated Elastic IP Address or needs to be talking through a NAT instance (which has an Elastic IP Address).

To lock down an EC2 security group to allow traffic from the VPC instance, specify the allowed source as the Elastic IP Address from either the instance itself or the NAT instance, as discussed above (ex. 192.0.2.25/32).

AWS CloudFormation: VPC default security group

Referencing the default security group is possible using:

{ "Fn::GetAtt" : ["VPC", "DefaultSecurityGroup"] }

Where "VPC" is your VPC resource name.

With AWS::EC2::SecurityGroupIngress and AWS::EC2::SecurityGroupEgress, you can augment the permissions of this default security group.

I think this is what you want:

"VPCDefaultSecurityGroupIngress": {
  "Type" : "AWS::EC2::SecurityGroupIngress",
  "Properties" : {
    "GroupId": { "Fn::GetAtt" : ["VPC", "DefaultSecurityGroup"] },
    "IpProtocol":"tcp",
    "FromPort":"22",
    "ToPort":"22",
    "CidrIp":"0.0.0.0/0"
  }
},

As mentioned by @artbristol and @gabriel, this allows Ingress/Egress rules to be added to the default security group for the VPC in a single stack deployment.

I'm pretty sure that the self-referential problem still impacts any attempts at changing any of the other properties on the default security group of the VPC. A good example of this would be adding Tags, or a Description. If you wish to change these things, you'll have to deal with extraneous security groups laying around.

Best Answer

Related Solutions

How to authorize connections to non-VPC EC2 instances from the instances in a VPC via the igw-xxxx Internet Gateway

AWS CloudFormation: VPC default security group

Related Topic