By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

get artifact from codeartifact from EC2 instance

0

Hello, I'm trying to get an artifact with aws cli from an ec2 instance in a private subnet. Which CIDR should I configure in my security groups and NACL to be able to download artifacts from code artifact service? Thanks for your help

Topics
Developer ToolsNetworking & Content Delivery
Tags
AWS CodeArtifactSecurity Group
Language
English
Cava
asked 6 months ago270 views
2 Answers
0
Accepted Answer

Hi, as with any other AWS service you want to access from an EC2 instance, you need access to the service endpoint either via outbound internet access or via a VPC Interface Endpoint for the service. CodeArtifact does have endpoints defined - com.amazonaws.<region>.codeartifact.api and com.amazonaws.<region>.codeartifact.repositories as per https://docs.aws.amazon.com/vpc/latest/privatelink/aws-services-privatelink-support.html.

Note these endpoints each cost about 1c/hr per AZ, and you'll need 2 AZs if you want high availability.

If your private subnet isn't "fully private" and does have outbound internet access then your security group will need to allow https outbound on 0.0.0.0/0 to access codeartifact this way. Likewise your NACL outbound. NACL inbound will need to allow the ephemeral port range.

On the other hand if using an interface endpoint you only have to allow outbound to that endpoint.

EXPERT
skinsman
answered 6 months ago
profile picture
EXPERT
Sedat Salman
reviewed 6 months ago
  • Cava
    6 months ago

    Thanks for your answer. Is there a way to restrict to a more limited CIRDR instead of 0.0.0.0/0? Do AWS public services have a known CIDR?

  • skinsman EXPERT
    6 months ago

    Some service ranges are published as managed prefix lists (see https://docs.aws.amazon.com/vpc/latest/userguide/working-with-aws-managed-prefix-lists.html#available-aws-managed-prefix-lists) and some in a JSON file (see https://docs.aws.amazon.com/vpc/latest/userguide/aws-ip-ranges.html) but not CodeArtifact. In theory you could use the AMAZON range in the latter but I wouldn't recommend it. You subscribe to the AmazonIpSpaceChanged topic and trigger a Lambda to process the updated JSON file, refreshing Security Groups with the ranges. You could limit it to just the region of interest but you still may have too many rules for one Security Group so may need several. I don't think it's worth the overhead for the minimal security uplift. VPC Interface Endpoints are a better option with additional benefits as it keeps traffic entirely on the Amazon network.

0

thanks for your help!

Cava
answered 6 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content