- Newest
- Most votes
- Most comments
Hello.
As you are aware, security groups are designed to allow traffic, so if you add an IP address, the added IP address will be able to communicate.
https://docs.aws.amazon.com/vpc/latest/userguide/security-group-rules.html
The rules of a security group control the inbound traffic that's allowed to reach the resources that are associated with the security group. The rules also control the outbound traffic that's allowed to leave them.
I read the article and I thought this meant adding IP addresses to allow.
In other words, I think the default is to not allow anything, and then the IP addresses that you want to allow to connect are added using some kind of script.
We now use AWS Elastic Load Balancing (ELB) instances (classic load balancers are the only type supported by OpenShift for now) as a traffic ingress for our OpenShift cluster. This reduces latency as we now operate within the same VPC instead of relying on an external load balancing provider. This also comes with the ability to have access to the security group APIs which we can use to dynamically add IP addresses. This is critical when we have individuals or organizations abusing specific GNOME services with thousands of queries per minute.
If you want to perform actions such as adding blocked IP addresses, you will need to configure a network ACL associated with the subnet.
If you are using ALB or CloudFront, you can also use AWS WAF.
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html
