Deactivate access to the AWS public IPv4 DNS

0

I have a EC2 instance on a public subnet and I have also assigned a Elastic IP to it as I am using it to host my Apache proxy to connect to my FAST API. The server is also linked to a domain using a A record on my domain provider.

I am able to access my FAST API via the domain on port 443. However AWS also generates a public IPv4 DNS with the following format: ec2-XX-XX-XX-XX.ap-southeast-1.compute.amazonaws.com.

Now I am able to access the FAST API via https://ec2-XX-XX-XX-XX.ap-southeast-1.compute.amazonaws.com/docs and the browser shows me a "Not Secure" connection as there is a certificate mismatch.

Is it possible to deactivate access to the AWS public IPv4 DNS?

asked 2 months ago59 views
2 Answers
0
Accepted Answer

Yes, it is possible to effectively deactivate access to the AWS public IPv4 DNS for your EC2 instance. However, it's important to understand that you can't directly "deactivate" the public DNS hostname itself, as it's automatically generated by AWS for instances with public IP addresses. Instead, you can take steps to prevent access through this hostname.

Here are a few approaches you can consider:

  1. Remove the public IP address: Since you're using an Elastic IP, you can disassociate the auto-assigned public IPv4 address from your instance. This will remove the public DNS hostname. As of a recent update, AWS now supports dynamically removing and adding auto-assigned public IPv4 addresses on EC2 instances. You can do this by modifying the public IP setting on the network interface.

  2. Configure your web server: You can configure Apache to only respond to requests coming from your domain name. This way, even if someone tries to access your API using the public DNS hostname, the web server won't serve the content.

  3. Use security groups: Configure your EC2 instance's security group to only allow incoming traffic on port 443 from your domain's IP address or from a content delivery network (CDN) if you're using one.

  4. Implement application-level checks: In your FAST API application, you can add logic to check the incoming request's host header and only process requests that match your domain name.

Remember, even if you implement these measures, the public DNS hostname will still exist as long as your instance has a public IP address. The goal is to prevent it from being used to access your application.

Regarding the certificate mismatch, this is expected behavior because your SSL certificate is likely issued for your domain name, not for the AWS-generated public DNS hostname. By implementing the above measures, you can help ensure that users only access your API through the properly secured domain name.

Sources
AWS supports dynamically removing and adding auto assigned public IPv4 address
Amazon EC2 instance IP addressing - Amazon Elastic Compute Cloud

profile picture
answered 2 months ago
profile picture
EXPERT
reviewed 2 months ago
  • Thanks, let me try out these options and revert back!!

0

Afraid you cant. Every Public IP aross AWS has a public DNS Name. It wouldnt make any difference to you removing that public DNS Name.

You get the same result going to https://X.X.X.X as the certificate doesnt have the SAN included.

Unless you ask someone to connect to the webserver using the AWS Public DNS Name, your not going to have any issues

profile picture
EXPERT
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions