aws - can I configure ip allow rules for a specific endpoint

Question

My Config is a single EC2 instance. I'm new to aws and inherited this architecture. We want to create an endpoint that will be accessible only from the office (specific IP).

What is the best way to achieve that?

is there a vpc / security group rule that will block a certain endpoint regex?

for example

    allow traffic to */sensative_endpoint/* only from 84.100.*.*
    for all rest of the endpoints - allow from all ips

thanks.

You would typically do this within the web server configuration on the instance. Nginx / Apache are the most common web servers used. — Tim, Jul 06 '20 at 07:56

score 1 · Answer 1 · answered Jul 06 '20 at 08:16

1

As pointed out in the comments this is probably best solved on the web server running on the ec2 instance.

If you are looking for a managed solution you should check AWS WAF - Web Application Firewall. WAF checks every request for the path and a bunch of other parameters and allows to define block and allow rules based on those request parameters. If you are running just a single ec2 instance this is however probably overkill.

You cannot solve this just using security groups as those operate at lower OSI layers and don't take the path (to the sensitive endpoint) into account.

answered Jul 06 '20 at 08:16

Henrik Pingel

9,380
2
28
39

thanks. if the security groups don't take the path into account, how can block all ips (except some) to some paths and allow all ips to the rest of paths? – WebQube Jul 06 '20 at 08:57
1

you cannot do that with security groups – Henrik Pingel Jul 06 '20 at 09:14
so WAF is required for my need in this case ( if I don't want to handle with apache or nginx) – WebQube Jul 06 '20 at 09:31

aws - can I configure ip allow rules for a specific endpoint

1 Answers1