Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

get artifact from codeartifact from EC2 instance

0

Hello, I'm trying to get an artifact with aws cli from an ec2 instance in a private subnet. Which CIDR should I configure in my security groups and NACL to be able to download artifacts from code artifact service? Thanks for your help

Argomenti
Strumenti per sviluppatoriNetworking e distribuzione di contenuti
Tag
AWS CodeArtifactGruppo di sicurezza
Lingua
English
Cava
posta 7 mesi fa290 visualizzazioni
2 Risposte
0
Risposta accettata

Hi, as with any other AWS service you want to access from an EC2 instance, you need access to the service endpoint either via outbound internet access or via a VPC Interface Endpoint for the service. CodeArtifact does have endpoints defined - com.amazonaws.<region>.codeartifact.api and com.amazonaws.<region>.codeartifact.repositories as per https://docs.aws.amazon.com/vpc/latest/privatelink/aws-services-privatelink-support.html.

Note these endpoints each cost about 1c/hr per AZ, and you'll need 2 AZs if you want high availability.

If your private subnet isn't "fully private" and does have outbound internet access then your security group will need to allow https outbound on 0.0.0.0/0 to access codeartifact this way. Likewise your NACL outbound. NACL inbound will need to allow the ephemeral port range.

On the other hand if using an interface endpoint you only have to allow outbound to that endpoint.

ESPERTO
skinsman
con risposta 7 mesi fa
profile picture
ESPERTO
Sedat Salman
verificato 7 mesi fa
  • Cava
    7 mesi fa

    Thanks for your answer. Is there a way to restrict to a more limited CIRDR instead of 0.0.0.0/0? Do AWS public services have a known CIDR?

  • skinsman ESPERTO
    7 mesi fa

    Some service ranges are published as managed prefix lists (see https://docs.aws.amazon.com/vpc/latest/userguide/working-with-aws-managed-prefix-lists.html#available-aws-managed-prefix-lists) and some in a JSON file (see https://docs.aws.amazon.com/vpc/latest/userguide/aws-ip-ranges.html) but not CodeArtifact. In theory you could use the AMAZON range in the latter but I wouldn't recommend it. You subscribe to the AmazonIpSpaceChanged topic and trigger a Lambda to process the updated JSON file, refreshing Security Groups with the ranges. You could limit it to just the region of interest but you still may have too many rules for one Security Group so may need several. I don't think it's worth the overhead for the minimal security uplift. VPC Interface Endpoints are a better option with additional benefits as it keeps traffic entirely on the Amazon network.

0

thanks for your help!

Cava
con risposta 7 mesi fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente