Currently I have working fine ec2 instance
and the DNS A Record is pointed to my elastic ip
Is it risky to point it on elastic ip? or should I point my DNS A record to my load balancer link?
Asked
Active
Viewed 375 times
3
Pablo
- 255
- 1
- 4
- 11
1 Answers
3
There is no additional risk putting your instance A record into DNS. If you have a load balancer then you should use that CNAME / Alias record instead, but if you don't already have or need a load balancer then you don't need to create a load balancer just for the sake of hiding your A record.
Personally I use CloudFlare's free plan, so my DNS records point at CloudFlare, which passes traffic on. I whitelist only CloudFlare's IP addresses in my AWS security groups, plus my static home IP.
Everything on the internet is probed by attackers regularly, and IP addresses are public. You need to secure your server appropriately.
Tim
- 31,888
- 7
- 52
- 78
-
1I’ll only add that instances behind a load balancer don’t need a public ip / elastic ip at all (if they are behind nat) and can be accessed through a jump host or, better, using [`ssm-session`](https://aws.nz/projects/ssm-session/). – MLu May 23 '20 at 09:17
-
Good addition MLu. That is one of the few times I use subnets for tiering in AWS, I tend to use security groups instead of subnets for application tiering most of the time. SSM that MLu is referring to [AWS Systems Manager Session Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html). I use it extensively, particularly when I'm creating solutions that are not connected to the internet. Getting the various endpoints and security groups set up and working takes a bit of time, though I automated it with CloudFormation so it's trivial now. – Tim May 23 '20 at 10:04