jbaird123
asked on
Using a URL instead of an IP address with Amazon Web Service security groups
Is it possible to use a domain name instead of an IP address with Amazon Web Services "Security Groups"?
I have an EC2 instance that I want to allow someone to access via RDP. I don't allow any traffice to my EC2 instance except from IP addresses that I specifically allow. The problem is that this person has a dynamic IP address which means that every time the IP address changes, I will need to change my firewall settings. This person has a domain that resolves to the same IP (i.e. if I ping "myfriendsnetwork.com", this domain resolves to the correct IP address).
I tried entering the domain name instead of the IP address into the exceptions in the firewall, but Amazon does not seem to like it.
I do not want to pay the extra cost for a static IP address (this is very expensive in his country), so I am looking for some way to allow him to RDP into my EC2 instance without opening my firewall to everybody on the planet.
What is the easiest way to accomplish this? If I could just specify a domain as a firewall exception, it would work, but since the Amazon site does not appear to allow anything but an IP, I don't know what to do.
I have an EC2 instance that I want to allow someone to access via RDP. I don't allow any traffice to my EC2 instance except from IP addresses that I specifically allow. The problem is that this person has a dynamic IP address which means that every time the IP address changes, I will need to change my firewall settings. This person has a domain that resolves to the same IP (i.e. if I ping "myfriendsnetwork.com", this domain resolves to the correct IP address).
I tried entering the domain name instead of the IP address into the exceptions in the firewall, but Amazon does not seem to like it.
I do not want to pay the extra cost for a static IP address (this is very expensive in his country), so I am looking for some way to allow him to RDP into my EC2 instance without opening my firewall to everybody on the planet.
What is the easiest way to accomplish this? If I could just specify a domain as a firewall exception, it would work, but since the Amazon site does not appear to allow anything but an IP, I don't know what to do.
ASKER
Hi breadtan,
Thanks for the information. I should have specified that I really know very little about firewalls, so most of that information is over my head. I know enough to configure a basic Linksys router for my home network and that is about all.
In reviewing the articles you sent, it looks like most of the information is related to configuring a machine with a dynamic IP so other computers can connect to it as if it had a static IP. This is not what I need. I need to be able to configure my AWS firewall so it will allow traffic from one particular computer regardless if the IP for that computer changes. The IP for the client computer changes because he has a dynamic IP assigned by his ISP.
I should also add that the AWS firewall is a physically separate device from both computers - the client and the server. It looks like the articles you posted are more related to configuring the server as a solution to my problem, but this won't work because the firewall is in between the server and the Internet.
Thanks for the information. I should have specified that I really know very little about firewalls, so most of that information is over my head. I know enough to configure a basic Linksys router for my home network and that is about all.
In reviewing the articles you sent, it looks like most of the information is related to configuring a machine with a dynamic IP so other computers can connect to it as if it had a static IP. This is not what I need. I need to be able to configure my AWS firewall so it will allow traffic from one particular computer regardless if the IP for that computer changes. The IP for the client computer changes because he has a dynamic IP assigned by his ISP.
I should also add that the AWS firewall is a physically separate device from both computers - the client and the server. It looks like the articles you posted are more related to configuring the server as a solution to my problem, but this won't work because the firewall is in between the server and the Internet.
Noted the whole idea is to have your ec2 to able to change eip dynamically. The firewall will allow the hostname instead of ip address. If we cannot even do it on the ec2 server instance, the firewall configuration is not relevant then....but when you mentioned aws firewall, will you be able to shared more on that vendor and brand model so I can so a bit more research :)
ASKER
breadtan,
The EC2 IP will not change. This is machine has a static IP, and this machine is behind the firewall. The PC with a dynamic IP is outside the firewall.
I don't know what kind of firewall AWS has. They just give me a web-based interface to allow me to configure it, but I don't think it is a physical machine like you are thinking. See the attached image. This is the only interface I have that allows me to specify which IPs I want to allow.
Capture.PNG
The EC2 IP will not change. This is machine has a static IP, and this machine is behind the firewall. The PC with a dynamic IP is outside the firewall.
I don't know what kind of firewall AWS has. They just give me a web-based interface to allow me to configure it, but I don't think it is a physical machine like you are thinking. See the attached image. This is the only interface I have that allows me to specify which IPs I want to allow.
Capture.PNG
In the general case, firewall only work on IP traffic, so only IP addresses.
If names are mentioned they get translated to Ipaddress before being deployed for actual use.
If names are mentioned they get translated to Ipaddress before being deployed for actual use.
ASKER
noci:
I tried doing that because the URL resolves to the IP address I want. The issue is that Amazon won't let me save that url.
I tried doing that because the URL resolves to the IP address I want. The issue is that Amazon won't let me save that url.
As i said, firewall only manage IP traffic, based on ip addresses, so no names are used in the operation.
As for URL's they don't look like hostnames, url's have a lot more cruft added.
When hostnames are used, AFAICT all firewall implementations only use a built in resolution database. DNS is never involved.
As for URL's they don't look like hostnames, url's have a lot more cruft added.
When hostnames are used, AFAICT all firewall implementations only use a built in resolution database. DNS is never involved.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Thanks for clarifying on the AWS FW part, seems like not possible then (other FW this is easily accomplished).
From the security group setting possibility for inbound checks also states that you can control access either from named security groups or source IP address range. You can specify the protocol(TCP, UDP, or ICMP) , individual ports or port range to open. IF avoiding the hassle of programming and going for range, this may be a quick workaround but not neat e.g. 1.2.3.4/24 (1.2.3.4/32 for single IP). Security groups use CIDR-based notation
Below has useful description of the steps and scenario - IP address is the limit and seems only programmatical is the only way out for the EC2 instance (with adding of running dynamic dns client getting new IP and change security group allow IP address)
>About EC2 Security Groups *see ("Access Permissions")
http://support.rightscale.com/12-Guides/Dashboard_Users_Guide/Clouds/AWS_Region/EC2_Security_Groups/Concepts/About_EC2_Security_Groups
>Create a New EC2 Security Group * see ("Add IP-Address-Based Permissions") & ("Add Group-Based Permissions")
http://support.rightscale.com/12-Guides/Dashboard_Users_Guide/Clouds/AWS_Region/EC2_Security_Groups/Actions/Create_a_New_Security_Group
https://jimliddle.sys-con.com/node/1109655/mobile
From the security group setting possibility for inbound checks also states that you can control access either from named security groups or source IP address range. You can specify the protocol(TCP, UDP, or ICMP) , individual ports or port range to open. IF avoiding the hassle of programming and going for range, this may be a quick workaround but not neat e.g. 1.2.3.4/24 (1.2.3.4/32 for single IP). Security groups use CIDR-based notation
Below has useful description of the steps and scenario - IP address is the limit and seems only programmatical is the only way out for the EC2 instance (with adding of running dynamic dns client getting new IP and change security group allow IP address)
>About EC2 Security Groups *see ("Access Permissions")
http://support.rightscale.com/12-Guides/Dashboard_Users_Guide/Clouds/AWS_Region/EC2_Security_Groups/Concepts/About_EC2_Security_Groups
>Create a New EC2 Security Group * see ("Add IP-Address-Based Permissions") & ("Add Group-Based Permissions")
http://support.rightscale.com/12-Guides/Dashboard_Users_Guide/Clouds/AWS_Region/EC2_Security_Groups/Actions/Create_a_New_Security_Group
https://jimliddle.sys-con.com/node/1109655/mobile
Did also saw EC forum asking for this
https://forums.aws.amazon.com/thread.jspa?messageID=147747𤄣
Extracted below
3) Write a little script (or do it manually, but it's more useful if it's automated) to check your public IP address. Then you (or the script) should request to EC2 to update the security group allowing access from that IP address.
Here is a short script that relies on the EC2 API tools to perform this for you:
#! /bin/bash
MY_GROUP=webserver
MY_IP=`curl -s http://whatismyip.org/`
ec2-authorize $MY_GROUP -P tcp -p 80 -s $MY_IP/24
https://forums.aws.amazon.com/thread.jspa?messageID=147747𤄣
Extracted below
3) Write a little script (or do it manually, but it's more useful if it's automated) to check your public IP address. Then you (or the script) should request to EC2 to update the security group allowing access from that IP address.
Here is a short script that relies on the EC2 API tools to perform this for you:
#! /bin/bash
MY_GROUP=webserver
MY_IP=`curl -s http://whatismyip.org/`
ec2-authorize $MY_GROUP -P tcp -p 80 -s $MY_IP/24
The script will eventually be a bit different, if only because this one has to be executed on the PC of the support person, and the PC/user running the script must be authorized to modify the security group.
If you are willing to let this person modify the security group, then it is possible to create an IAM profile and limit the authorization to just this action.
If you are willing to let this person modify the security group, then it is possible to create an IAM profile and limit the authorization to just this action.
ASKER
shalomc,
Did you attach a script? I didn't see one....
Thanks.
Did you attach a script? I didn't see one....
Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
this script will deauthorize the previous IP address before adding the new one.
@setlocal
echo off
set PARTNER=myfriendsnetwork.com
set security_Group=mysecurityg
set PORT=3389
set AWS_ACCESS_KEY=xyz
set AWS_SECRET_KEY=mno
for /F "usebackq tokens=10 " %%a in (`ec2-describe-group %security_Group% ^| find "%PORT%"`) do set DEAUTH_CIDR=%%a
echo DeAuthorizing %DEAUTH_CIDR% ...
ec2-revoke %security_Group% -P tcp -p %PORT% -s %DEAUTH_CIDR%
@endlocal
just slight f/d that if you need to allow single IP then you will need /32 instead of /24.
my bad. saw it yesterday but was in a hurry and forgot to fix it later.
Ideally I would also add error handling and/or logging but I'll leave some work to others :)
Ideally I would also add error handling and/or logging but I'll leave some work to others :)
btw, whatsmyip.com now embed the IP in an image, so you need either to use another way or use OCR.
ASKER
shalomc,
Your "authorize" script works perfectly. Thank you for this.
I have a question about your "deauthorize" script. I didn't run it yet. I can't tell what it does and how it determines which IP addresses to deauthorize. The reason I am asking is because the security group that I am working with has several other IP Addresses that have been manually authorized for RDP access, and I don't want to deauthorize these addresses by mistake. Is it possible to make sure that this script deauthorizes all IPs "except" certain IPs?
Thanks!
Your "authorize" script works perfectly. Thank you for this.
I have a question about your "deauthorize" script. I didn't run it yet. I can't tell what it does and how it determines which IP addresses to deauthorize. The reason I am asking is because the security group that I am working with has several other IP Addresses that have been manually authorized for RDP access, and I don't want to deauthorize these addresses by mistake. Is it possible to make sure that this script deauthorizes all IPs "except" certain IPs?
Thanks!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Donate the saved bill to a local charity, or go buy your buddies a round :)
ASKER
shalomc,
This works perfectly! Thank you very much.
This works perfectly! Thank you very much.
Yes, as long as all communication takes place over the Internet Gateway of each VPC and uses the Elastic IP addresses assigned to the instances in each VPC. Please note: security groups cannot span regions. All traffic filtering between instances in one VPC and instances in another VPC must use the Elastic IP addresses as the specified source or destination address.
Q. Can I assign one or more Elastic IP (EIP) addresses to VPC-based Amazon EC2 instances?
Yes, however, the EIP addresses will only be reachable from the Internet (not over the VPN connection). Each Elastic IP address must be associated with a unique private IP address on the instance. EIP addresses should only be used on instances in subnets configured to route their traffic directly to the Internet Gateway. EIPs cannot be used on instances in subnets configured to use a NAT instance to access the Internet.
However, I saw this RightScale Dyn RightScript whihc if I understood correctly is supposed to update the EIP of EC2 VPC based on the dynDNS hostname. Meaning it is running some client s/w in the EC2 VPC. If that is viable, the firrewall should be able to also create some dynamic address object and have it consider in rule condition for allow or deny. But the challenge is the client need to subscribe the dynDNS :(
http://www.idevelopment.info/data/AWS/AWS_Tips/AWS_Management/AWS_16.shtml
http://dyn.com/labs/dynamic-dns-integrations/
http://www.rightscale.com/library/right_scripts/DynDNS-com-Host-Update-to-Curr/9602
Not really a EC2 user but DDNS may be one way but also does have its own challenges if user is not having to create that DDNS account...