By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How do I make a "security group" firewall reference the dynamic address of a client site

0

Our EC2 servers are in multiple AWS sites to provide faster service for geographic regions. Some of our management terminals access the internet from ISP assigned dynamic IP addresses that change multiple times per year. This creates a problem of updating the "security group" AWS firewall rules to allow those specific IPs to connect to our EC2 servers.

Looking at the AWS console user interface, the first obvious choice would be to reference the DNS name (which we already update to new IPs using another mechanism), but this seems to not be an option.

The second obvious choice would be to reference a "prefix list" and update that, but unfortunately, AWS prefix lists get disconnected from from "security group rules" when edited (according the the VPC documentation), and they are also artificially limited to each AWS site, thus still requiring duplicated effort to handle a global set of EC2 servers.

So is there any current or planned AWS feature to ease the common task of updating an IP address allowed in security groups at multiple AWS locations?

Topics
Networking & Content Delivery
Tags
Amazon VPCSecurity Group
Language
English
AWS-User-4644975
asked 5 months ago148 views
1 Answer
0

Hi, can you share a reference where it states the prefix reference in your security group will break when you update the prefixes? As per the docs we have, " you can update the relevant prefix list and all security groups that use the prefix list are updated. You can also use managed prefix lists with other AWS accounts using Resource Access Manager (RAM)." ref: https://docs.aws.amazon.com/vpc/latest/userguide/managed-prefix-lists.html

And the Modify section doesn't state that in the consideration or limitation: https://docs.aws.amazon.com/vpc/latest/userguide/working-with-managed-prefix-lists.html#modify-managed-prefix-list That is the main purpose of the AWS IP prefixes. You get to modify one place, and it will apply to many security groups at once which is using this prefix somewhere in the rules.

However, this is region specific resource. Thus, you can think of creating a workflow that will update the prefixes in every other region when the primary region prefix is updated. btw, interesting use-case.

profile pictureAWS
AmerO
answered 5 months ago
  • AWS-User-4644975
    5 months ago

    I was confused by the structure of the following sentence on that page "You can modify a prefix list. When you add or remove entries, we create a new version of the prefix list. Resources that reference the prefix always use the current (latest) version. You can restore the entries from a previous version of the prefix list, which also creates a new version.", Which I misunderstood to indicate that the new version got a new object identity other than what the firewall rule referenced.

    However this clarification doesn't handle the problem that there will be a separate prefix list for each AWS region, not one stored centrally in the AWS account and automatically distributed to the hardware in the regions.

  • AmerO
    4 months ago

    You can't do this natively. You will need to create a workflow that is triggered by a change to the primary prefix, so it updates all the prefixes that mirrors that prefix in the other regions. That can be a Lambda that monitors the change on the primary Prefix using CloudWatch eventBridge and then it starts updating the other prefixes. If you are using CICD or IaC to deploy your resource in different regions, that can make the changes easier on your side. Unfortunately, not a change you can accomplish within the default options of Managed IP prefixes screen. If that answers your question, please accept the answer.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content