AWS CLI to restrict inbound connections from a dynamic IP - security

My internet provider doesn't offer static IP, so I have to connect to my AWS instances with a dynamic IP. That means that my VPC security group in AWS has a ssh port that can be accessed from every IP (source: 0.0.0.0/0), obviously if you have the key.
I would want to restrict this rule, and I was thinking of writing a CLI script that revokes this 0.0.0.0 rule and creates a new inbound rule with my (dynamic) IP.
Is it possible? Is it a good idea?

You could connect through a VPN. Then SSH from inside the VPN.
setup a software VPN (OpenVPN, OpenSwan) on an existing instance and open just that port to the outside world. Once setup it would essentially be free if you are running it on an instance that you would normally run. This will have a little more setup involved but it's not too hard.
Previously I suggested the Amazon VPC VPN. But that requires a static IP so that will not work

Related

aks + firewall. How to route eggress trafic via multiple Ip address

My basic problem is to run multiple containers that make HTTP requests to a test server. I need the source IP registered by the test server to be different for the request made by each container. I am using azure AKS.
So far I follow the documentation from:
https://learn.microsoft.com/en-us/azure/aks/limit-egress-traffic#restrict-egress-traffic-using-azure-firewall
The above works fine. I need to run another container with a different IP address. For that I created a new Ip address to the firewall, a new Kubernetes service, and a new NAT rules connecting them. That didn't work: the source Ip registered by the test server is the same firewall IP.
The Documentation also states that:
"If needed, you can generalize the steps above to forward the traffic to your preferred egress solution, following the Outbound Type userDefinedRoute documentation."
For that, I create a cluster with vm-set-type of VirtualMachineScaleSets and load-balancer-sku of Standard. Try the above steps and it didn't work. Also, I created a new route on the Route table connecting the internet to the new public IP.. nothing
I am lack of ideas. I don't know if I mess something up. Anyway.. Any idea is welcome. Thanks in advance.

Azure ssh connection from home

I want to connect to a vm in the Azure cloud from home i.e. without a fixed IP. I have added the two security rules for network interface and NSG respectively to accept inbound connections on the ssh port 22 using the ipv4 address given by showip.net. This doesn't work and I get a connection time-out - I tried out ipv6 address as well. If I do the very same thing for another server (outside Azure), the very same procedure works. The native ip address for both my home computer and the virtual machine I use as alternative are IPv6.
So the question is - does my connection from home fail, because there is some sort of reverse lookup failing or what could be the other causes?
Thanks!
It sounds like most likely the issue is some weird NATing of your ISP - especially when IPv6 comes into play, it can often be a bit hard to find the actual external IP address that your requests are coming from. You can try different sites like whatsmyip.com etc to see if you find another one that you can add.
Apart from that, there are various things you could try:
Use SSH from the Azure Cloud Shell (https://shell.azure.com)
Use Azure Bastion to have a jump host in the same VNET
Use a point-to-site VPN from your PC into your VNET

Load balancers, Public-Ips and Availability sets in Microsoft Azure

I have a quick question regarding deploying a configuration in ARM mode.
I want to have two app servers behind a load balancer, with a database server on the same subnet.
Creating the load-balancer and rules for this seems to be working fine, but I have an issue with trying to access my database server via SSH.
I originally wanted to set up SSH access to my database server by setting up an inbound NAT rule to forward a port from my database server to the load balancer. This would allow me SSH access to my database via my DNS name and a specific port.
However, It seems you cannot forward a port to a load balancer outside of the machines availability set.
I don't want to have my database server in the same availability set as my app server as you should have an availability set per tier.
But I don't particularly want to give my database server a full public IP address and DNS name either, as it shouldn't really be accessible outside its own subnet.
If I have an availability set per tier, does that mean I also must have a public IP address per tier to allow for SSH access to each machine?
What is the recommended way to set up a configuration like this, with SSH access to each machine spread across avaiability sets?

Building AWS Infrastructure - Security Questions

I am building an cloud infrastructure on AWS.
I have some backend applications (like database servers) and other front end app (like webservers) that needs ingoing/outgoing traffic.
I also have some devops/dev app like Jenkins, and Airlfow (a workflow management tahts has a web UI) that i need to protect. Some of these apps, like Airflow, doesn't have security mechanism (for example login/password). And I still need access it on 80 port from Internet.
I was thinking to setup a AWS VPC, with a private subnet and public subnet. In the public subnet I will put the fron end apps and the private subnet I will put the backend services (like databases).
For the backend services, I need a way to my dev team to connect, for example, in a MySQL database (port: 3306).
What is the correct way of do this?
I need to expose port 3306?
Do I need a NAT or a bastion host? What is the difference between them?
If I setup a NAT/Bastion hosti will make a port foward rigth? If I have two instances of a mysql database, how can I connect to each other using the bastion? I need to allocate different ports on bastion and make the port foward?
For the devops/dev app:
Which subnet do I choose?
If i put on the private subnet, how can my team access it on 80 port?
Do i need a intranet/vpc foo this applications?
These are all quite common problems people are faced with on AWS. You have lots of options.
You could put all of your backend and dev opps services in the private subnet. You then have a number of choices to connect to them securely.
Option 1
Use Security Groups to limit access to these nodes. You can use Security groups to only allow specific IP addresses to connect to your resources.
Option 2
Use a bastion host.
Referring to your question "What is the difference NAT and bastion host?".
NAT simply allows instance inside a private subnet to connect to the internet by routing all their traffic through the NAT instance. The NAT instance then directs the return traffic from the internet back to the correct nodes in the private subnet. NAT alone does not allow you to connect to instances inside your private subnet from the outside, you'd need to combine it with Port Address Translation to achieve this.
A Bastion host is an instance that you place in a public subnet of your VPC. You can therefore connect to it from the internet. Once you're connected to your Bastion host, you can connect to any other instance inside your VPC using the private IP. Once you ensure maximum security to your bastion host, you're in business.
As a result, you could use a bastion host to connect to all those special nodes in your private subnet.
Option 3
Set up a VPN connection to your VPC using the built in functionality in VPC or setting up a VPN instance with something like OpenSwan running on it.
VPN connections are extremely secure but can often be a tad temperamental (*personal opinion from personal experience).
So, you have lots of choices. I'd recommend doing a few more google searches and digging deeper into the AWS docs as these are all commonly asked questions!
Good luck! :)

AWS, NodeJS - Connecting app to Mongodb on another EC2 instance

I am trying to connect my app, running on one EC2 instance, to MongoDB, running on another EC2 instance. I'm pretty sure the problem is in the security settings, but I'm not quite sure how to handle that.
First off, my app's instance is in an autoscaling group that sits behind an ELB. The inbound security settings for the instance and ELB allow access to port 80 from anywhere, as well as all traffic from its own security group.
The EC2 instance that runs Mongo is able to take connections if the security group for that instance accepts all inbound traffic from anywhere. Any other configuration that I've tried causes the app to say that it cannot make a connection with the remote address. I've set rules to accept inbound traffic from all security groups that I have, but it only seems to work when I allow all traffic from anywhere.
Also, my db instance is set up with an elastic ip. Should I have this instance behind an ELB as well?
So my questions are these:
1) How can I securely make connections to my EC2 instance running mongo?
2) In terms of architecture, does it make sense to run my database this way, or should I have this behind a load balancer as well?
This issue is tripping me up a lot more than I thought it would, so any help would be appreciated.
NOTE
I have also set the bind_ip=0.0.0.0 in /etc/mongo.conf
Your issue is that you are using the public elastic IP to connect to your database server from your other servers. This means that the connection is going out to the internet and back into your VPC, which presents the following issues:
Security issues due to the data transmission not being contained within your VPC
Network latency issues
Your database server's security group can't identify the security group of the inbound connections
Get rid of the elastic IP on the MongoDB server, there is no need for it unless you plan to connect to it from outside your VPC. Modify your servers to use the private internal IP address assigned to your database server when creating connections to it. Finally, lock your security group back down to only allow access to the DB from your other security group(s).
Optional: Create a private hosted zone in Route53, with an A record pointing to your database server's private IP address, then use that hostname instead of the internal IP address.

Resources