0

I've been trying to launch an EC2 instance that has the following requirements:

  1. It needs to be accessible from the internet (ie: via RDP)
  2. However from inside the EC2 instance it is not able to access the internet.

Initially, my thought is that the instance should be launched in a subnet that has its route table entry 0.0.0.0/0 to the IGW removed.

However, when that route table entry was removed, our RDP connection into the EC2 instance fails.

My next try was to remove all outbound rules from the instance's security group. This stops all external internet access for the instance for good, however the instance is also no longer able to access anything on the intranet.

Is it possible for an instance to still access resources on the local network, but have no routable access out to the internet?

Thanks all!

wshyang
  • 33
  • 6
  • Instead of removing all the outbound rules on the instances security group and having nothing - add the cidr range of the VPC for all ports on the security groups outgoing traffic (or specific ports if you wish to limit it). Remember though that security groups are stateful, so if something from the outside can reach your instance on a specific port - the instance will still respond. Changing the security outbound security groups just means no traffic outbound traffic can be initiated from within the instance. – WarrenG Oct 24 '19 at 20:54
  • Just check this link [EC2 instance with EIP in Public subnet not connecting to Internet](https://stackoverflow.com/questions/59477657/ec2-instance-with-eip-in-public-subnet-not-connecting-to-internet) – Govindarajan Dec 25 '19 at 17:07

1 Answers1

1

It appears that your requirements are:

  • Allow inbound access to the instance (working)
  • Deny outbound access to the Internet (working)
  • Allow access to other resources in the same VPC (not working)

To achieve this, you should:

  • Remove all Outbound rules on the security group
  • Add an Outbound rule that permits All Traffic to the CIDR range of the VPC

So, if the VPC has a CIDR of 10.0.0.0/16, then put this CIDR range in the Outbound security group rule.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470