-1

My Linux based EC2 instances have both public and private IPs. I am hosting two servers on it:

  • S3 server, which will be accessible over both internet/private network and
  • NFS server, which should be accessed only via private IPs/internal network.

I want to open NFS port in the Security Group but only allow the access over the EC2 instances's private IP. I don't think this can be achieved by using only security groups as when the request reaches EC2 node, the Internet Gateway has already replaced the public IP with the private IP of the EC2 instance and the instance is not even aware that there is an extra public IP associated with it.

Instead what can be done is to choose the sources and selectively allow NFS access only to the VPCs and on-premises network (in case there is a VPN connectivity) but that would also mean that every time a new VPC is created OR a new VPN endpoint is established, someone has to modify the Security Group to accommodate new IP addresses.

What I ideally need is a way to apply port and IP based rules on the Internet Gateway which is currently not available/exported. Looking for alternatives.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
ashish
  • 813
  • 3
  • 10
  • 18

1 Answers1

0

The simplest method would be to add an Inbound rule to the Security Group where the Source is the CIDR range of the VPC.

For example, if your VPC is 172.31.0.0/16, then use this as the Source in the security group. It would permit any inbound connection from that IP address range.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
  • Yeah, but that would mean I have to add more rules for the onprem networks if there is VPN connectivity/ AWS direct connect and more rules for other VPCs in case there is inter VPC connectivity. Thanks for the answer anyways! – ashish Aug 24 '22 at 02:34
  • One thing I noticed is that when the request reaches EC2 node, it is always on internal IP as the internet gateway does address translation and replaces public IP with private. What I ideally need is a way to apply port and IP based rules on the internet gateway which is currently not available/exported by AWS. – ashish Aug 24 '22 at 02:35
  • So if the EC2 is hosting both public and private servers, there is no way to limit a port to either exclusively to private or public. What AWS suggests is to have two separate EC2 instances for public and private and have them in public/private subnets respectively. But I just don't want to pay for 2 EC2 instances when I can host both the servers on a single one. – ashish Aug 24 '22 at 02:39
  • The Security Groups understand the difference between traffic coming from the Internet (via the Internet Gateway) and local traffic. For traffic coming through the Internet Gateway, the Security Group will use the Public IP address as the 'source'. Therefore, my recommendation above will only allow **local traffic** to enter the instance and any traffic from the Internet will be rejected. If you disbelieve me, then I suggest you try it and see what happens! – John Rotenstein Aug 24 '22 at 03:35
  • I understand completely what you are suggesting. This will block anything except from 172.31.xxx.xxx, but that will also block other internal IP addresses like 10.xxx.xxx.xxx. It's not that it will not work but it's just that we will need multiple such entries to completely allow all the combinations of internal addresses. I can probably look at the CIDR classes and only allow the private ones. – ashish Aug 24 '22 at 04:17
  • Correct. Or, put the resource in a **private subnet** (with no Route Table pointing to the Internet Gateway) and it will only be able to communicate within the VPC. Or, remove the Public IP address from the instance. Same result. – John Rotenstein Aug 24 '22 at 04:23
  • Yeah, I mentioned that above in the third comment, the reason I don't want to do that is because I don't want to pay for 2 EC2 instances. – ashish Aug 24 '22 at 04:29