2

AWS makes bringing an idea to life from proof-of-concept to full scale marketable solutions easy with their "Lego block"-like infrastructure components.

A project can go from a single EC2, to a few load balanced web servers, adding S3 storage as needed, then putting it all behind a CDN (CloudFront) and so on, and so on. As needed.

Inevitably though, we get the question:

"What IP should we whitelist?"

A quick Google search will return numerous stack exchange questions and about adding or mimicking a static IP in front of AWS services.

I understand I'm not the only one questioning this IP obsession.

Whatever the scenario, there is usually a way, but what gets me, is that this often gets requested to please one client's IT department. It has nothing to do with improving the product.

(I can accept it when they require an IP address for our servers to interact with their API for example, but sometimes it seems they just want something to whitelist before they start using a service that is accessible to the general public)

Often this even hinders future architecture improvements since we can no longer freely add our AWS Lego blocks as needed.

Is it right to give in and find a way to get your static IP address?

Or should one dive into a rant about how 'the cloud' works in the hopes to confuse the "IT department" enough that they accept not having an IP address to whitelist? (this has worked before).

Is there an answer that can get the most "security aware" operations teams to back away while still being friendly.

Community
  • 1
davur
  • 191
  • 1
  • 10
  • 2
    If they're a good enough customer you could spin up an instance with an elastic IP to use as a proxy. $10 a month for a t2.micro running nginx as a proxy will support a fair bit of traffic. It's not an elegant solution, but it would likely work. – Tim Nov 30 '16 at 05:17
  • Thanks Tim, there are so many solutions, but this was not meant as a "how do we?" question, but rather a "should we?" – davur Nov 30 '16 at 05:52
  • @Tim, you probably hit the nail on the head with "if they're a good enough customer". A young startup will jump when asked, but do bigger providers even get asked for IP addresses? (not to mention the Google, Github, Atlassian, or Microsoft's of the world) – davur Nov 30 '16 at 05:59
  • 1
    The "should we" is the type of question that would tend to get closed here on SF. It's fairly heavily moderated problem/solution site. To answer your question though, sometimes it's best to take the path of least resistance. – Tim Nov 30 '16 at 08:00
  • My apologies if this is soliciting an opinion, I'd be happy to adjust the question. What I'd like was a technical and authoritative response that could convince an old fashioned IT security team that static IP addresses are a thing of the past. – davur Nov 30 '16 at 23:25
  • 1
    How about something like "The technical solution does not use a fixed IP address, it uses a CNAME which refers to a load balancer. The IP address of the server returned by this record can change as often as every five minutes in response to load or failure scenarios. Providing a fixed IP address is possible, at a cost, though decreases the reliability and scalability of the solution. If you're concerned about security mutual certificate validation can be implemented, or a VPN can be established to further enhance security". Change according to truth and preference. – Tim Nov 30 '16 at 23:33
  • Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/49401/discussion-between-davur-and-tim). – davur Dec 01 '16 at 00:19

0 Answers0