mercredi 29 juillet 2015

Restricting Access - AWS VPC + Elastic Beanstalk

There exists a virtual private cloud (VPC) with one public subnet (from here) on AWS. A node.js web service has been deployed inside this VPC using elastic beanstalk. For security reasons only a specific set of IP addresses are to access this HTTP web service. In order to achieve this the routing table associated with the subnet has been updated from:

Destination-------Target

10.0.0.0/16-------local

0.0.0.0/0----------igw-id

to:

Destination---------Target

10.0.0.0/16----------local

white_listed_ip------igw-id

After making this change some strange behaviours are experience such as:

  1. Many 'eb' commands time out e.g. eb create, eb logs
  2. Commands like 'eb logs' cause the environment to update and the update takes a long time, and the environments state becomes yellow.

I suspect that doing such a hard restriction on IP addresses accessing the VPC is causing components of Elastic Beanstalk not to have access to the VPC causing the issues.

The question is what is best way to restrict access to such a deployment to only a set of IP's without requiring to know all the IP addresses required by Elastic Beanstalk?

I assume that restricting access at security group level rather than route table would potentially have the same type of issues.




Aucun commentaire:

Enregistrer un commentaire