1

We have a classic load balanser that's configured to allow TCP traffic on port 444. We have a security group configured that allows TCP traffic from 54.244.50.32/27.

If we open up the traffic to the entire internet (0.0.0.0/0), then we can connect fine but as soon as we limit traffic to the device farm's ip range of 54.244.50.32/27, we fail to connect.

We have a VPN and can connect just fine from our local network so the problem seem to be between the device farm and our server.

Anyone know what we are missing?

anber
  • 113
  • 4
  • 1
    That IP 54.244.50.32/27 - is that on the load balancer? Or is that the Device farm IP range? – MLu Sep 25 '18 at 01:53
  • It's the Device farm's IP range. As documented by AWS, the range is between 54.244.50.32 and 54.244.50.63 – anber Sep 25 '18 at 01:58

1 Answers1

0

Couple of things to look at:

  1. Can you verify from the Device Farm that it's really using that IP range? E.g. access https://ifconfig.co from the Device Farm and see what it comes back with.

  2. If the Device Farm and the ELB are in the same VPC you may need to permit access to the ELB from the VPC IP range (e.g. 172.31.0.0/16).

  3. Enable ELB access logs while the access is open to 0.0.0.0/0 and look at the logs from which IPs the devices are connecting.

  4. If none of that works enable VPC Flow Logs and investigate where the traffic is coming from.

Hope some of it helps :)

MLu
  • 24,849
  • 5
  • 59
  • 86
  • 1
    We logged into a device session and checked via http://www.whatsmyip.org/. The Ip range seems correct. However, when we open the network, the ip that we are seeing in our logs comes from 54.245.180.239. That's still an AWS ip but it's not even close to the correct ip range we see form the actual devices :( – anber Sep 25 '18 at 03:04
  • 1
    @anber could there be a reverse proxy or NAT on the way *from* your devices? Or some other middleware in between? CloudFront perhaps? If you were talking from your Device Farm directly to the ELB you would see the D/F IPs. In any case you shouldn't rely on whitelisting IPs, instead use some authentication token or something similar to secure access to your backend API. – MLu Sep 25 '18 at 05:33
  • According to AWS, the machines hosting the devices doesn't have a fixed IP. Although we have an auth token that secure our back-end services, we don't want to open up the IP range and invite attacks no our testing environment. I'm investigating a way we can dynamically white-list a single machine in our security group via the awscli. – anber Sep 25 '18 at 23:48