How to block single website from ec2 instance when we have multiple websites hosted on single nic

0

We have one EC2 instance running amazon Linux. We have one Elastic IP interface and single NIC card. Elastic IP has public IP address. Also, we have internal IP address which is assigned to NIC card of the server. We are hositng 8 websites on the server.for which we have created 8 different DNS records for our 8 websites. But, All the DNS Records are are pointing to single interface(Public Interface).

We have requirement to block public access for one website. If we disable 0.0.0.0/0 rule from security group it will block access to all the websites.Can you please suggest how can we just block public access for only one website.

asked 2 years ago627 views
3 Answers
1

If the sites are not mapped to different ports on the host you'll need some form of layer 7 filtering.

You could achieve this with AWS Web Application Firewall, but this requires integration with a load-balancer. If this is cost prohibitive, you'd need to restrict access in the vhost config, e.g. for Apache, https://httpd.apache.org/docs/2.4/howto/access.html

[editing in light of further info in comments]

Adding an additional ENI and binding the vhost to this will enable you to implement the desired policy as you describe, e.g. for Apache, https://httpd.apache.org/docs/2.4/bind.html

AWS
Andy_P
answered 2 years ago
  • This is a tricky problem because the network (Security Groups and NACLs) do not have visibility of the HTTP request to see which website is being accessed. Another related solution here is to use CloudFront which would allow WAF to be used in the same manner as suggested here. WAF operates at Layer 7 which is where the HTTP requests are exposed and can therefore block, filter or otherwise modify requests based on which website the request is going to.

  • I agree Brettski. This is tricky and customer is not using filtering at apache end and they are not willing to do it. Also we cannot go for CDN and WAF. The possible solution which I was thinking is below:

    1. Add another interface to the server. Change the FQDN to point the new IP address. Create a new security group and attach this to newly created interface and remove the any any inbound rule(0.0.0.0/0). Update the client network in inbound rule.
    2. Add the inbound rule with network range on the port number of website.

    Please suggest

  • Adding another interface might work; but then there will be limits on the number of interfaces and IP addresses. Much simpler to do what they "are not willing to do". Using different port numbers works fine but then it's more difficult for the end-users and there are networks out there that will block connections to "unusual" ports. Again, much simpler to go with the original suggestion.

0

Another option is change the FQDN IP address from Public IP address to private/internal IP address. This way the website will be accessible only to internal network Please suggest

answered 2 years ago
  • That's possible, but you'd want to validate the security of this, i.e. the web server won't respond to GETs to the 'private' site from the public IP (security by obscurity is no security at all). If the data is sensitive, it shouldn't sit on or be directly accessible from an internet-facing machine.

    Be mindful of bridging private and public networks. The risk of web server compromise (from other public access) should be acknowledged in relation to private connections - this may already be handled by existing controls/policy on the backend, but clients connecting to the private site should understand this is an internet-facing machine. Same from a data-leakage perspective (compromise of public site -> exfiltration of private-site data).

0

You will probably want to make use of Network Access Control Lists (NACL) here. Unlike Security Groups, NACLs are stateless and allow you to block/allow inbound/outbound traffic separately. You can block on specific IP or CIDR range also. See following: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html

profile pictureAWS
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions