Is there a way to know if some request comes to the instance but is blocked by security group

0

I recently set up an ECS cluster and used Service Connect to access a service in a different ECS cluster. Initially, it was not working, but after some investigation and advice, I resolved the issue by allowing all traffic from the same security group.

However, I would like to know if there is a way to identify which specific requests are being blocked by a security group. Any insights or tools for monitoring and diagnosing security group blocks would be greatly appreciated.

asked a month ago154 views
2 Answers
3

You can use VPC Flow Logs to tell what packets have been rejected by security groups. Note that there are some limitations which are documented.

If you are troubleshooting and are looking to answer questions like "why can't A connected to B" then you're probably better off using Reachability Analyzer.

profile pictureAWS
EXPERT
answered a month ago
profile picture
EXPERT
reviewed a month ago
EXPERT
Leo K
reviewed a month ago
profile picture
EXPERT
reviewed a month ago
0

I really like the input for reachability analyzer. It's a good point to point (same region, limited resources) analyzer.

We also have Network Access Analyzer, which will provide "findings" from an access point, to another endpoint, identifying all possible communication - in the form of findings. A little more robust, different use cases than Reachability Analyzer.

Network Access Analyzer is a feature that identifies unintended network access to your resources on AWS. You can use Network Access Analyzer to specify your network access requirements and to identify potential network paths that do not meet your specified requirements. You can use Network Access Analyzer to:

Understand, verify, and improve your network security posture – Network Access Analyzer helps you identify unintended network access relative to your security and compliance requirements, enabling you to take steps to improve your network security.

Demonstrate compliance – Network Access Analyzer helps you demonstrate that your network on AWS meets your compliance requirements. https://docs.aws.amazon.com/vpc/latest/network-access-analyzer/what-is-network-access-analyzer.html

AWS
KAS
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions