Solved

Using a URL instead of an IP address with Amazon Web Service security groups

Posted on 2013-01-08
21
4,046 Views
Last Modified: 2014-11-12
Is it possible to use a domain name instead of an IP address with Amazon Web Services "Security Groups"?

I have an EC2 instance that I want to allow someone to access via RDP.  I don't allow any traffice to my EC2 instance except from IP addresses that I specifically allow.  The problem is that this person has a dynamic IP address which means that every time the IP address changes, I will need to change my firewall settings.  This person has a domain that resolves to the same IP (i.e. if I ping "myfriendsnetwork.com", this domain resolves to the correct IP address).

I tried entering the domain name instead of the IP address into the exceptions in the firewall, but Amazon does not seem to like it.

I do not want to pay the extra cost for a static IP address (this is very expensive in his country), so I am looking for some way to allow him to RDP into my EC2 instance without opening my firewall to everybody on the planet.

What is the easiest way to accomplish this?  If I could just specify a domain as a firewall exception, it would work, but since the Amazon site does not appear to allow anything but an IP, I don't know what to do.
0
Comment
Question by:jbaird123
  • 8
  • 6
  • 5
  • +1
21 Comments
 
LVL 61

Expert Comment

by:btan
ID: 38758613
Doesnt seems viable to have security group as domain dns hostname type ...

Q. Can Amazon EC2 instances within a VPC in one region communicate with Amazon EC2 instances within a VPC in another region?
Yes, as long as all communication takes place over the Internet Gateway of each VPC and uses the Elastic IP addresses assigned to the instances in each VPC. Please note: security groups cannot span regions. All traffic filtering between instances in one VPC and instances in another VPC must use the Elastic IP addresses as the specified source or destination address.

Q. Can I assign one or more Elastic IP (EIP) addresses to VPC-based Amazon EC2 instances?
Yes, however, the EIP addresses will only be reachable from the Internet (not over the VPN connection). Each Elastic IP address must be associated with a unique private IP address on the instance. EIP addresses should only be used on instances in subnets configured to route their traffic directly to the Internet Gateway. EIPs cannot be used on instances in subnets configured to use a NAT instance to access the Internet.

However, I saw this RightScale Dyn RightScript whihc if I understood correctly is supposed to update the EIP of EC2 VPC based on the dynDNS hostname. Meaning it is running some client s/w in the EC2 VPC. If that is viable, the firrewall should be able to also create some dynamic address object and have it consider in rule condition for allow or deny. But the challenge is the client need to subscribe the dynDNS :(

http://www.idevelopment.info/data/AWS/AWS_Tips/AWS_Management/AWS_16.shtml
http://dyn.com/labs/dynamic-dns-integrations/
http://www.rightscale.com/library/right_scripts/DynDNS-com-Host-Update-to-Curr/9602

Not really a EC2 user but DDNS may be one way but also does have its own challenges if user is not having to create that DDNS account...
0
 

Author Comment

by:jbaird123
ID: 38758699
Hi breadtan,

Thanks for the information.  I should have specified that I really know very little about firewalls, so most of that information is over my head.  I know enough to configure a basic Linksys router for my home network and that is about all.

In reviewing the articles you sent, it looks like most of the information is related to configuring a machine with a dynamic IP so other computers can connect to it as if it had a static IP.  This is not what I need.  I need to be able to configure my AWS firewall so it will allow traffic from one particular computer regardless if the IP for that computer changes.  The IP for the client computer changes because he has a dynamic IP assigned by his ISP.

I should also add that the AWS firewall is a physically separate device from both computers - the client and the server.  It looks like the articles you posted are more related to configuring the server as a solution to my problem, but this won't work because the firewall is in between the server and the Internet.
0
 
LVL 61

Expert Comment

by:btan
ID: 38758871
Noted the whole idea is to have your ec2 to able to change eip dynamically. The firewall will allow the hostname instead of ip address. If we cannot even do it on the ec2 server instance, the firewall configuration is not relevant then....but when you mentioned aws firewall, will you be able to shared more on that vendor and brand model so I can so a bit more research :)
0
 

Author Comment

by:jbaird123
ID: 38758953
breadtan,

The EC2 IP will not change.  This is machine has a static IP, and this machine is behind the firewall.  The PC with a dynamic IP is outside the firewall.

I don't know what kind of firewall AWS has.  They just give me a web-based interface to allow me to configure it, but I don't think it is a physical machine like you are thinking.  See the attached image.  This is the only interface I have that allows me to specify which IPs I want to allow.
Capture.PNG
0
 
LVL 39

Expert Comment

by:noci
ID: 38759469
In the general case, firewall only work on IP traffic, so only IP addresses.
If names are mentioned they get translated to Ipaddress before being deployed for actual use.
0
 

Author Comment

by:jbaird123
ID: 38759599
noci:

I tried doing that because the URL resolves to the IP address I want.  The issue is that Amazon won't let me save that url.
0
 
LVL 39

Expert Comment

by:noci
ID: 38759706
As i said, firewall only manage IP traffic, based on ip addresses, so no names are used in the operation.

As for URL's    they don't look like hostnames, url's have a lot more cruft added.
When hostnames are used, AFAICT all firewall implementations only use a built in resolution database. DNS is never involved.
0
 
LVL 32

Assisted Solution

by:shalomc
shalomc earned 500 total points
ID: 38762597
The ec2-authorize and ec2-revoke commands are used to add and remove IP addresses from a security group.

If your person subscribes to a dynamic dns, then it is possible for a script to query the current IP address via the nslookup command.

When the curent IP address is known, the script should issue the ec2-authorize command. If possible, it should also issue the ec2-revoke command to delete the old IP from the security group.

Unfortunately I do not have a ready script, but I will try to whip something up over the weekend (unless someone beats me to it )

About security groups
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html#APIandCLI

Command line reference
http://docs.aws.amazon.com/AWSEC2/latest/CommandLineReference/ApiReference-cmd-AuthorizeSecurityGroupIngress.html
0
 
LVL 61

Expert Comment

by:btan
ID: 38762770
Thanks for clarifying on the AWS FW part, seems like not possible then (other FW this is easily accomplished).

From the security group setting possibility for inbound checks also states that you can control access either from  named security groups or source IP address range. You can specify the protocol(TCP, UDP, or ICMP) , individual ports or port range to open. IF avoiding the hassle of programming and going for range, this may be a quick workaround but not neat e.g. 1.2.3.4/24 (1.2.3.4/32 for single IP). Security groups use CIDR-based notation

Below has useful description of the steps and scenario - IP address is the limit and seems only programmatical is the only way out for the EC2 instance (with adding of running dynamic dns client getting new IP and change security group allow IP address)

>About EC2 Security Groups *see ("Access Permissions")

http://support.rightscale.com/12-Guides/Dashboard_Users_Guide/Clouds/AWS_Region/EC2_Security_Groups/Concepts/About_EC2_Security_Groups

>Create a New EC2 Security Group * see ("Add IP-Address-Based Permissions") & ("Add Group-Based Permissions")

http://support.rightscale.com/12-Guides/Dashboard_Users_Guide/Clouds/AWS_Region/EC2_Security_Groups/Actions/Create_a_New_Security_Group


https://jimliddle.sys-con.com/node/1109655/mobile
0
 
LVL 61

Expert Comment

by:btan
ID: 38762791
Did also saw EC forum asking for this

https://forums.aws.amazon.com/thread.jspa?messageID=147747&#147747

Extracted below

3) Write a little script (or do it manually, but it's more useful if it's automated) to check your public IP address. Then you (or the script) should request to EC2 to update the security group allowing access from that IP address.

Here is a short script that relies on the EC2 API tools to perform this for you:

#! /bin/bash
MY_GROUP=webserver
MY_IP=`curl -s http://whatismyip.org/`
ec2-authorize $MY_GROUP -P tcp -p 80 -s $MY_IP/24
0
Want to promote your upcoming event?

Are you going to an event? Are you going to be exhibiting at a tradeshow? Talking at a conference? Using a promotional banner in your email signature ensures that your organization’s most important contacts stay in the know and can potentially spread the word about the event.

 
LVL 32

Expert Comment

by:shalomc
ID: 38767748
The script will eventually be a bit different, if only because this one has to be executed on the PC of the support person, and the PC/user running the script must be authorized to modify the security group.

If you are willing to let this person modify the security group, then it is possible to create an IAM profile and limit the authorization to just this action.
0
 

Author Comment

by:jbaird123
ID: 38768205
shalomc,

Did you attach a script?  I didn't see one....

Thanks.
0
 
LVL 32

Accepted Solution

by:
shalomc earned 500 total points
ID: 38771296
try this to start with:
@setlocal 
echo off
set PARTNER=myfriendsnetwork.com
set security_Group=mysecurityg

set PORT=3389
set AWS_ACCESS_KEY=xyz
set AWS_SECRET_KEY=mno

for /F "usebackq tokens=3 delims=^[^] " %%a in (`ping -a %PARTNER% ^| find "Pinging"`) do set IP=%%a

echo Authorizing %IP% ...
ec2-authorize %security_Group% -P tcp -p %PORT% -s %IP%/24
@endlocal

Open in new window

0
 
LVL 32

Expert Comment

by:shalomc
ID: 38771480
this script will deauthorize the previous IP address before adding the new one.

@setlocal 
echo off
set PARTNER=myfriendsnetwork.com
set security_Group=mysecurityg

set PORT=3389
set AWS_ACCESS_KEY=xyz
set AWS_SECRET_KEY=mno

for /F "usebackq tokens=10 " %%a in (`ec2-describe-group %security_Group% ^| find "%PORT%"`) do set DEAUTH_CIDR=%%a

echo DeAuthorizing %DEAUTH_CIDR% ...
ec2-revoke %security_Group% -P tcp -p %PORT% -s %DEAUTH_CIDR%

@endlocal

Open in new window

0
 
LVL 61

Expert Comment

by:btan
ID: 38771721
just slight f/d that if you need to allow single IP then you will need /32 instead of /24.
0
 
LVL 32

Expert Comment

by:shalomc
ID: 38773942
my bad. saw it yesterday but was in a hurry and forgot to fix it later.

Ideally I would also add error handling and/or logging but I'll leave some work to others :)
0
 
LVL 32

Expert Comment

by:shalomc
ID: 38773950
btw, whatsmyip.com now embed the IP in an image, so you need either to use another way or use OCR.
0
 

Author Comment

by:jbaird123
ID: 38774390
shalomc,

Your "authorize" script works perfectly. Thank you for this.

I have a question about your "deauthorize" script.  I didn't run it yet.  I can't tell what it does and how it determines which IP addresses to deauthorize.  The reason I am asking is because the security group that I am working with has several other IP Addresses that have been manually authorized for RDP access, and I don't want to deauthorize these addresses by mistake.  Is it possible to make sure that this script deauthorizes all IPs "except" certain IPs?

Thanks!
0
 
LVL 32

Assisted Solution

by:shalomc
shalomc earned 500 total points
ID: 38778776
try this

@setlocal 
echo off
SETLOCAL ENABLEEXTENSIONS
setlocal EnableDelayedExpansion

set PARTNER=myfriendsnetwork.com
set security_Group=mysecurityg

set PORT=3389
set AWS_ACCESS_KEY=xyz
set AWS_SECRET_KEY=mno

for /F "usebackq tokens=10 " %%a in (`ec2-describe-group %security_Group% ^| find "%PORT%"`)  do (
        echo found %%a
        set FLAG=
        IF "%%a"=="1.1.1.1/32" set FLAG=1
        IF "%%a"=="2.2.2.2/32" set FLAG=1
        .... add more CIDR to keep
        IF defined FLAG (
                        echo Keeping %%a ...
        ) else (
                        echo DeAuthorizing %%a ...
                        ec2-revoke %security_Group% -P tcp -p %PORT% -s %%a
        )
)

@endlocal 

Open in new window

0
 
LVL 32

Expert Comment

by:shalomc
ID: 38778781
Donate the saved bill to a local charity, or go buy your buddies a round :)
0
 

Author Closing Comment

by:jbaird123
ID: 38778984
shalomc,

This works perfectly!  Thank you very much.
0

Featured Post

Why do Marketing keep bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Office365 : is it a cloud hosting 4 70
Amazon S3 Security 2 63
Login to my old Sonicwall TZ210 5 26
ipsec tunnel comme not up 10 21
Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
Companies keep a much closer eye on costs today, so changing to new Technology – Microsoft Office 365 is the smartest move to take.
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now