Score:0

AWS: Restrict external access to Database but allow ECS task to access

jp flag

I'm not great at network administration so I need some help to do something really basic on AWS. Basically, I have a RDS database on a vpc, let's call it VPC1. The database is also associated with VPC security group "Default: sg1"

I have a API server that needs to access the Database running as a docker image (service) using ECS. This API server is associated with a load balancer on the same VPC ID VPC1. The task has external IP XXX.XXX.XXX.XXX and internal IP YYY.YYY.YYY.YYY

All I want to do is allow the ECS service to access the database, but disable all other external access.

I've tried the following:

  • add the private IP to the inbound SG rule
  • add the public IP to the inbound SG rule
  • Add the security group of the network the task is part of to the SG rule The protocol, for testing, is set to "all"

None of these seem to work. What am I missing here?

Score:1
gp flag
Tim

I typically do this with security group references rather than IPs. Make sure each resource (DB, ECS) is assigned a security group that isn't used for anything else - ie not the default SG. Default works but it's not good practice and it's more difficult to keep track of.

You need to put in matching security group rules to allow traffic out from ECS to the DB, and into the DB from ECS:

  • ECS SG: allow outbound connectivity to the DB SG on the required port.
  • DB SG: allow inbound connectivity from the DB SG on the required port.

Since security groups are stateful you don't need to allow incoming into ECS or outgoing from DB.

If for some reason you need to do this with IPs make sure you use private IPs rather than public. In AWS public IPs are only translated in the internet gateway, they're not used within the VPC.

jp flag
Yes, this appears to have been the best and most pain free solution. Thank you kindly.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.