Whitelist multiple public IPs across security groups in AWS

amazon-web-servicessecurity-groups

We have a bunch of 50-odd external (non-AWS) servers that we need to whitelist across many (~50) security groups (vpc). Apart from the constraint on the number of rules, adding and removing entries to/from all the groups one by one is a pain.

I tried adding all the external IPs to a separate SG and whitelisting that SG in other SGs but apparently that works only for internal (AWS) instances1.

[1] Can't give access to all servers belonging to a security group in AWS

Is there any other way to achieve this?

Best Answer

When you say you "whitelisting that SG in other SGs" what exactly do you mean?

I would simply create a single security group with these rules and assign that security group to all instances. An instance can have multiple security group, and rules are additive in a permissive sense. ie default deny, unless any rule in any security group allows access. You will have to create new instances to change the security groups associated with an EC2 instance, but once it's associated with the groups any changes made are done in real time.

You could also do it with network ACLs, which work at a subnet level. NACLs are like a firewall, they run at the subnet level, though each NACL can apply to multiple subnets. They can add more "deny" rules that apply to all instances in the subnet but can't open up ports that security groups have closed. Remember they're stateless so you need to add incoming and outgoing rules.

Note that the question/answer you linked to is a very specific situation which doesn't apply to you, regarding using private or public IPs. Security groups apply to private EC2 IPs or public IPs. For example I have security groups set up that allow access only by my CDN provider and my home IP address, which are definitely public IPs.

Related Solutions

How to authorize connections to non-VPC EC2 instances from the instances in a VPC via the igw-xxxx Internet Gateway

In order for the 10.0.0.88 instance to access the Internet (or EC2) via the Internet Gateway (IGW), the instance either needs to have an associated Elastic IP Address or needs to be talking through a NAT instance (which has an Elastic IP Address).

To lock down an EC2 security group to allow traffic from the VPC instance, specify the allowed source as the Elastic IP Address from either the instance itself or the NAT instance, as discussed above (ex. 192.0.2.25/32).

AWS CloudFormation: VPC default security group

Referencing the default security group is possible using:

{ "Fn::GetAtt" : ["VPC", "DefaultSecurityGroup"] }

Where "VPC" is your VPC resource name.

With AWS::EC2::SecurityGroupIngress and AWS::EC2::SecurityGroupEgress, you can augment the permissions of this default security group.

I think this is what you want:

"VPCDefaultSecurityGroupIngress": {
  "Type" : "AWS::EC2::SecurityGroupIngress",
  "Properties" : {
    "GroupId": { "Fn::GetAtt" : ["VPC", "DefaultSecurityGroup"] },
    "IpProtocol":"tcp",
    "FromPort":"22",
    "ToPort":"22",
    "CidrIp":"0.0.0.0/0"
  }
},

As mentioned by @artbristol and @gabriel, this allows Ingress/Egress rules to be added to the default security group for the VPC in a single stack deployment.

I'm pretty sure that the self-referential problem still impacts any attempts at changing any of the other properties on the default security group of the VPC. A good example of this would be adding Tags, or a Description. If you wish to change these things, you'll have to deal with extraneous security groups laying around.

Best Answer

Related Solutions

How to authorize connections to non-VPC EC2 instances from the instances in a VPC via the igw-xxxx Internet Gateway

AWS CloudFormation: VPC default security group

Related Topic