Ao usar o AWS re:Post, você concorda com os AWS re:Post Termos de uso
AWS re:Postre:Post

get artifact from codeartifact from EC2 instance

0

Hello, I'm trying to get an artifact with aws cli from an ec2 instance in a private subnet. Which CIDR should I configure in my security groups and NACL to be able to download artifacts from code artifact service? Thanks for your help

Tópicos
Ferramentas do desenvolvedorRede e entrega de conteúdo
Tags
AWS CodeArtifactGrupo de segurança
Idioma
English
Cava
feita há 7 meses290 visualizações
2 Respostas
0
Resposta aceita

Hi, as with any other AWS service you want to access from an EC2 instance, you need access to the service endpoint either via outbound internet access or via a VPC Interface Endpoint for the service. CodeArtifact does have endpoints defined - com.amazonaws.<region>.codeartifact.api and com.amazonaws.<region>.codeartifact.repositories as per https://docs.aws.amazon.com/vpc/latest/privatelink/aws-services-privatelink-support.html.

Note these endpoints each cost about 1c/hr per AZ, and you'll need 2 AZs if you want high availability.

If your private subnet isn't "fully private" and does have outbound internet access then your security group will need to allow https outbound on 0.0.0.0/0 to access codeartifact this way. Likewise your NACL outbound. NACL inbound will need to allow the ephemeral port range.

On the other hand if using an interface endpoint you only have to allow outbound to that endpoint.

ESPECIALISTA
skinsman
respondido há 7 meses
profile picture
ESPECIALISTA
Sedat Salman
avaliado há 7 meses
  • Cava
    há 7 meses

    Thanks for your answer. Is there a way to restrict to a more limited CIRDR instead of 0.0.0.0/0? Do AWS public services have a known CIDR?

  • skinsman ESPECIALISTA
    há 7 meses

    Some service ranges are published as managed prefix lists (see https://docs.aws.amazon.com/vpc/latest/userguide/working-with-aws-managed-prefix-lists.html#available-aws-managed-prefix-lists) and some in a JSON file (see https://docs.aws.amazon.com/vpc/latest/userguide/aws-ip-ranges.html) but not CodeArtifact. In theory you could use the AMAZON range in the latter but I wouldn't recommend it. You subscribe to the AmazonIpSpaceChanged topic and trigger a Lambda to process the updated JSON file, refreshing Security Groups with the ranges. You could limit it to just the region of interest but you still may have too many rules for one Security Group so may need several. I don't think it's worth the overhead for the minimal security uplift. VPC Interface Endpoints are a better option with additional benefits as it keeps traffic entirely on the Amazon network.

0

thanks for your help!

Cava
respondido há 7 meses

Você não está conectado. Fazer login para postar uma resposta.

Uma boa resposta responde claramente à pergunta, dá feedback construtivo e incentiva o crescimento profissional de quem perguntou.

Diretrizes para responder a perguntas

Conteúdo relevante