• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 5831
  • Last Modified:

Using a URL instead of an IP address with Amazon Web Service security groups

Is it possible to use a domain name instead of an IP address with Amazon Web Services "Security Groups"?

I have an EC2 instance that I want to allow someone to access via RDP.  I don't allow any traffice to my EC2 instance except from IP addresses that I specifically allow.  The problem is that this person has a dynamic IP address which means that every time the IP address changes, I will need to change my firewall settings.  This person has a domain that resolves to the same IP (i.e. if I ping "myfriendsnetwork.com", this domain resolves to the correct IP address).

I tried entering the domain name instead of the IP address into the exceptions in the firewall, but Amazon does not seem to like it.

I do not want to pay the extra cost for a static IP address (this is very expensive in his country), so I am looking for some way to allow him to RDP into my EC2 instance without opening my firewall to everybody on the planet.

What is the easiest way to accomplish this?  If I could just specify a domain as a firewall exception, it would work, but since the Amazon site does not appear to allow anything but an IP, I don't know what to do.
0
jbaird123
Asked:
jbaird123
  • 8
  • 6
  • 5
  • +1
3 Solutions
 
btanExec ConsultantCommented:
Doesnt seems viable to have security group as domain dns hostname type ...

Q. Can Amazon EC2 instances within a VPC in one region communicate with Amazon EC2 instances within a VPC in another region?
Yes, as long as all communication takes place over the Internet Gateway of each VPC and uses the Elastic IP addresses assigned to the instances in each VPC. Please note: security groups cannot span regions. All traffic filtering between instances in one VPC and instances in another VPC must use the Elastic IP addresses as the specified source or destination address.

Q. Can I assign one or more Elastic IP (EIP) addresses to VPC-based Amazon EC2 instances?
Yes, however, the EIP addresses will only be reachable from the Internet (not over the VPN connection). Each Elastic IP address must be associated with a unique private IP address on the instance. EIP addresses should only be used on instances in subnets configured to route their traffic directly to the Internet Gateway. EIPs cannot be used on instances in subnets configured to use a NAT instance to access the Internet.

However, I saw this RightScale Dyn RightScript whihc if I understood correctly is supposed to update the EIP of EC2 VPC based on the dynDNS hostname. Meaning it is running some client s/w in the EC2 VPC. If that is viable, the firrewall should be able to also create some dynamic address object and have it consider in rule condition for allow or deny. But the challenge is the client need to subscribe the dynDNS :(

http://www.idevelopment.info/data/AWS/AWS_Tips/AWS_Management/AWS_16.shtml
http://dyn.com/labs/dynamic-dns-integrations/
http://www.rightscale.com/library/right_scripts/DynDNS-com-Host-Update-to-Curr/9602

Not really a EC2 user but DDNS may be one way but also does have its own challenges if user is not having to create that DDNS account...
0
 
jbaird123Author Commented:
Hi breadtan,

Thanks for the information.  I should have specified that I really know very little about firewalls, so most of that information is over my head.  I know enough to configure a basic Linksys router for my home network and that is about all.

In reviewing the articles you sent, it looks like most of the information is related to configuring a machine with a dynamic IP so other computers can connect to it as if it had a static IP.  This is not what I need.  I need to be able to configure my AWS firewall so it will allow traffic from one particular computer regardless if the IP for that computer changes.  The IP for the client computer changes because he has a dynamic IP assigned by his ISP.

I should also add that the AWS firewall is a physically separate device from both computers - the client and the server.  It looks like the articles you posted are more related to configuring the server as a solution to my problem, but this won't work because the firewall is in between the server and the Internet.
0
 
btanExec ConsultantCommented:
Noted the whole idea is to have your ec2 to able to change eip dynamically. The firewall will allow the hostname instead of ip address. If we cannot even do it on the ec2 server instance, the firewall configuration is not relevant then....but when you mentioned aws firewall, will you be able to shared more on that vendor and brand model so I can so a bit more research :)
0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
jbaird123Author Commented:
breadtan,

The EC2 IP will not change.  This is machine has a static IP, and this machine is behind the firewall.  The PC with a dynamic IP is outside the firewall.

I don't know what kind of firewall AWS has.  They just give me a web-based interface to allow me to configure it, but I don't think it is a physical machine like you are thinking.  See the attached image.  This is the only interface I have that allows me to specify which IPs I want to allow.
Capture.PNG
0
 
nociSoftware EngineerCommented:
In the general case, firewall only work on IP traffic, so only IP addresses.
If names are mentioned they get translated to Ipaddress before being deployed for actual use.
0
 
jbaird123Author Commented:
noci:

I tried doing that because the URL resolves to the IP address I want.  The issue is that Amazon won't let me save that url.
0
 
nociSoftware EngineerCommented:
As i said, firewall only manage IP traffic, based on ip addresses, so no names are used in the operation.

As for URL's    they don't look like hostnames, url's have a lot more cruft added.
When hostnames are used, AFAICT all firewall implementations only use a built in resolution database. DNS is never involved.
0
 
shalomcCTOCommented:
The ec2-authorize and ec2-revoke commands are used to add and remove IP addresses from a security group.

If your person subscribes to a dynamic dns, then it is possible for a script to query the current IP address via the nslookup command.

When the curent IP address is known, the script should issue the ec2-authorize command. If possible, it should also issue the ec2-revoke command to delete the old IP from the security group.

Unfortunately I do not have a ready script, but I will try to whip something up over the weekend (unless someone beats me to it )

About security groups
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html#APIandCLI

Command line reference
http://docs.aws.amazon.com/AWSEC2/latest/CommandLineReference/ApiReference-cmd-AuthorizeSecurityGroupIngress.html
0
 
btanExec ConsultantCommented:
Thanks for clarifying on the AWS FW part, seems like not possible then (other FW this is easily accomplished).

From the security group setting possibility for inbound checks also states that you can control access either from  named security groups or source IP address range. You can specify the protocol(TCP, UDP, or ICMP) , individual ports or port range to open. IF avoiding the hassle of programming and going for range, this may be a quick workaround but not neat e.g. 1.2.3.4/24 (1.2.3.4/32 for single IP). Security groups use CIDR-based notation

Below has useful description of the steps and scenario - IP address is the limit and seems only programmatical is the only way out for the EC2 instance (with adding of running dynamic dns client getting new IP and change security group allow IP address)

>About EC2 Security Groups *see ("Access Permissions")

http://support.rightscale.com/12-Guides/Dashboard_Users_Guide/Clouds/AWS_Region/EC2_Security_Groups/Concepts/About_EC2_Security_Groups

>Create a New EC2 Security Group * see ("Add IP-Address-Based Permissions") & ("Add Group-Based Permissions")

http://support.rightscale.com/12-Guides/Dashboard_Users_Guide/Clouds/AWS_Region/EC2_Security_Groups/Actions/Create_a_New_Security_Group


https://jimliddle.sys-con.com/node/1109655/mobile
0
 
btanExec ConsultantCommented:
Did also saw EC forum asking for this

https://forums.aws.amazon.com/thread.jspa?messageID=147747𤄣

Extracted below

3) Write a little script (or do it manually, but it's more useful if it's automated) to check your public IP address. Then you (or the script) should request to EC2 to update the security group allowing access from that IP address.

Here is a short script that relies on the EC2 API tools to perform this for you:

#! /bin/bash
MY_GROUP=webserver
MY_IP=`curl -s http://whatismyip.org/`
ec2-authorize $MY_GROUP -P tcp -p 80 -s $MY_IP/24
0
 
shalomcCTOCommented:
The script will eventually be a bit different, if only because this one has to be executed on the PC of the support person, and the PC/user running the script must be authorized to modify the security group.

If you are willing to let this person modify the security group, then it is possible to create an IAM profile and limit the authorization to just this action.
0
 
jbaird123Author Commented:
shalomc,

Did you attach a script?  I didn't see one....

Thanks.
0
 
shalomcCTOCommented:
try this to start with:
@setlocal 
echo off
set PARTNER=myfriendsnetwork.com
set security_Group=mysecurityg

set PORT=3389
set AWS_ACCESS_KEY=xyz
set AWS_SECRET_KEY=mno

for /F "usebackq tokens=3 delims=^[^] " %%a in (`ping -a %PARTNER% ^| find "Pinging"`) do set IP=%%a

echo Authorizing %IP% ...
ec2-authorize %security_Group% -P tcp -p %PORT% -s %IP%/24
@endlocal

Open in new window

0
 
shalomcCTOCommented:
this script will deauthorize the previous IP address before adding the new one.

@setlocal 
echo off
set PARTNER=myfriendsnetwork.com
set security_Group=mysecurityg

set PORT=3389
set AWS_ACCESS_KEY=xyz
set AWS_SECRET_KEY=mno

for /F "usebackq tokens=10 " %%a in (`ec2-describe-group %security_Group% ^| find "%PORT%"`) do set DEAUTH_CIDR=%%a

echo DeAuthorizing %DEAUTH_CIDR% ...
ec2-revoke %security_Group% -P tcp -p %PORT% -s %DEAUTH_CIDR%

@endlocal

Open in new window

0
 
btanExec ConsultantCommented:
just slight f/d that if you need to allow single IP then you will need /32 instead of /24.
0
 
shalomcCTOCommented:
my bad. saw it yesterday but was in a hurry and forgot to fix it later.

Ideally I would also add error handling and/or logging but I'll leave some work to others :)
0
 
shalomcCTOCommented:
btw, whatsmyip.com now embed the IP in an image, so you need either to use another way or use OCR.
0
 
jbaird123Author Commented:
shalomc,

Your "authorize" script works perfectly. Thank you for this.

I have a question about your "deauthorize" script.  I didn't run it yet.  I can't tell what it does and how it determines which IP addresses to deauthorize.  The reason I am asking is because the security group that I am working with has several other IP Addresses that have been manually authorized for RDP access, and I don't want to deauthorize these addresses by mistake.  Is it possible to make sure that this script deauthorizes all IPs "except" certain IPs?

Thanks!
0
 
shalomcCTOCommented:
try this

@setlocal 
echo off
SETLOCAL ENABLEEXTENSIONS
setlocal EnableDelayedExpansion

set PARTNER=myfriendsnetwork.com
set security_Group=mysecurityg

set PORT=3389
set AWS_ACCESS_KEY=xyz
set AWS_SECRET_KEY=mno

for /F "usebackq tokens=10 " %%a in (`ec2-describe-group %security_Group% ^| find "%PORT%"`)  do (
        echo found %%a
        set FLAG=
        IF "%%a"=="1.1.1.1/32" set FLAG=1
        IF "%%a"=="2.2.2.2/32" set FLAG=1
        .... add more CIDR to keep
        IF defined FLAG (
                        echo Keeping %%a ...
        ) else (
                        echo DeAuthorizing %%a ...
                        ec2-revoke %security_Group% -P tcp -p %PORT% -s %%a
        )
)

@endlocal 

Open in new window

0
 
shalomcCTOCommented:
Donate the saved bill to a local charity, or go buy your buddies a round :)
0
 
jbaird123Author Commented:
shalomc,

This works perfectly!  Thank you very much.
0

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

  • 8
  • 6
  • 5
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now