By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Instance network isolation?

0

I've got a question related to instance network isolation.

If I have 3 lightsail instances active, are they isolated at all from other instances that I don't own?

In other words ... I know that my 3 instances can communicate with each other via their internal IP addresses... but can other customer instances also communicate with my instances via the internal IP?

Here's my use case:

I find the Lightsail database offering too inflexible ... so I'm considering creating a new LS instance that will be dedicated to running a mySQL database that the applications on my other instances will use. I won't be opening port 3306 to the internet (obviously). Just ports 22 & 443.

Do I need to firewall port 3306 (the mysql port) so that only the static IPs of my instances can access it ... or is that network isolation already in place because the LS instances are all on my account?

Thanks!

david

Topics
Compute
Tags
Amazon Lightsail
Language
English
profile picture
David G
asked 5 years ago348 views
4 Answers
0

David,

Thanks for using Lightsail! The short answer to your question is "No, instances in other accounts cannot access the internal IP addresses of your Lightsail instances."

Lightsail instances run within a single Virtual Private Cloud network. This VPC can be peered with the default VPC in EC2/VPC networking to allow you to communicate between internal IP addresses of Lightsail Instances and your EC2 Instances in the default VPC for EC2. Right now, that is the only way in which the internal IP addresses are accessible via resources outside of your Lightsail account.

The Lightsail VPC provides a secure network isolated from the internet and all other Lightsail or AWS accounts and only allows traffic through the ports that you open in the port management interface.

I hope this helps!

Donley

profile pictureAWS
donleyataws
answered 5 years ago
0

OK, I think I understand.

Just to confirm ...

Lightsail instances within my own account will always be able to communicate with each other, via internal IP addresses, no mater what.

If I enable VPC peering, then other EC2 resources, that I own, can communicate with my Lightsail instances via internal IP addresses.

If I don't enable VPC peering, then my Lightsail instances will be able to communicate but no other EC2 resources I own will be able to communicate via internal IP addresses.

Regardless of the VPC peering setting, no Lightsail instances outside of my account will be able to communicate with my instances via internal IP addresses.

Just thought of another question: What about Lightsail instances in other regions or zones?

Edited by: David G on Mar 22, 2019 10:00 AM

profile picture
David G
answered 5 years ago
0

Everything you stated is correct.

To answer your question: Lightsail instances in the same region but a different availability zone are in the same VPC so they can talk to one another using internal IP addresses. Lightsail instances in different regions cannot talk to one another using the internal IP addresses. They would have to use public IP addresses and the ports would have to be opened up on the receiving end.

Donley

profile pictureAWS
donleyataws
answered 5 years ago
0

Perfect! Thanks!

profile picture
David G
answered 5 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content