By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Security Rules - Outbound Port

0

Hello,

i need following configuration: All data traffic should be permitted outbound. But 2 ports can only be free for a certain IP range.

AWS only uses the most permissive rule that allows all outbound traffic. How can I set the rule with the ports to have a higher weighting?

Thanks!

Topics
AWS Well-Architected Framework
Tags
Security
Language
English
Hacky
asked 5 months ago181 views
4 Answers
0
Accepted Answer

But! One of my rules is that all outbound traffic is allowed. (0.0.0.0/0). Now, we have 2 ports (5600 + 5700) that should only be released to a specific /32 address. These ports should be restricted to all other IP addresses.

I think that for that instance, one security group rule is going to have to turn into five security group rules. Which is easy to do, but at the same time is ugly.

Rule 1 opens ports 0-5599 to 0.0.0.0/0

Rule 2 opens port 5600 to single /32 address

Rule 3 opens ports 5601-5699 to 0.0.0.0/0

Rule 4 opens port 5700 to single /32 address

Rule 5 opens ports 5701-65535 to 0.0.0.0/0

I can't see another way of doing it, like you say once you open 0-65535 to all hosts you can't then tighten it up again only for specific address(es).

profile picture
EXPERT
Steve_M
answered 5 months ago
profile picture
EXPERT
Gary Mclean
reviewed 5 months ago
profile picture
EXPERT
Sedat Salman
reviewed 5 months ago
  • Hacky
    5 months ago

    Yes, that's exactly what I did too. For a single instance it's ok. But it would be much better if there could be weighting in the security groups, like with the VPC ACLs.

  • Gary Mclean EXPERT
    5 months ago

    Agree with Steve’s answer here however it will become unmanageable if you expand these rules over time.

0

Why not only ALLOW access on the /32 HOST from specific sources ONLY instead of manging the outbound from an EC2?

profile picture
EXPERT
Gary Mclean
answered 5 months ago
  • Hacky
    5 months ago

    Trust is good, control is better :)

  • Gary Mclean EXPERT
    5 months ago

    You should place the security control as close to the resource you wish to protect than trusting you’ve secured a host far away.

0

Hello.

If you want to change the settings for each EC2, please edit the outbound rules of the security group.
https://docs.aws.amazon.com/vpc/latest/userguide/security-group-rules.html

If you want to control on a subnet basis, set outbound rules for the network ACL.
Network ACLs are stateless settings, so you need to set permissions in outbound rules and allow return traffic in inbound rules.
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html

profile picture
EXPERT
Riku_Kobayashi
answered 5 months ago
  • Riku_Kobayashi EXPERT
    5 months ago

    Isn't it okay to just delete the "0.0.0.0/0" rule? Or how about making the "0.0.0.0/0" rule more detailed and allowing only the necessary protocols? For example, wouldn't it be better to set "0.0.0.0/0" to only allow HTTP and HTTPS?

0

Thanks for your answer!

Yes, i need this change of one ec2-instance. We have to edit the security rules of this instance.

But! One of my rules is that all outbound traffic is allowed. (0.0.0.0/0). Now, we have 2 ports (5600 + 5700) that should only be released to a specific /32 address. These ports should be restricted to all other IP addresses.

Now, when I add these rules, this rule will not be honored because AWS takes the most tolerant rule. And this says, all data traffic is released to 0.0.0.0/0.

So I have to give the rule with the 2 ports more weight. But how?

Hacky
answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content