Go to All Forums

AWS Security Groups Whitelisting

Hi currently I'm adding the IP's manually to security groups in AWS to monitor the status of specific servers behind our firewall and loadbalancer and well the whitelist seems to get longer and longer.

Does anyone know how to add the domain site24x7.enduserexp.com to a security group in AWS so I don't have to manually add new IP's when new locations are spun up or remove locations when one is retired? I can't seem to find a way to do it.

Any help appreciated!
Like (1) Reply
Replies (3)

Re: AWS Security Groups Whitelisting

Hi, 

AWS Security Group will not be able to resolve the DNS hostnames. 

You can create a script using AWS CLI commands to update the monitoring server IP addresses. The script should query the current IP address via the nslookup command. 

When the current IP address is known, the script should issue the ec2-authorize command. If possible, it should also issue the ec2-revoke command to delete the old IP from the security group. 

Please check the link below for more details. 

http://docs.aws.amazon.com/cli/latest/userguide/cli-ec2-sg.html

Regards,
Rafee

Like (0) Reply

Re: Re: AWS Security Groups Whitelisting

My approach was to implement a Lambda that updates security groups and WAF whitelists periodically. However, list of 470 IPv4 addresses that `dig +short site24x7.enduserexp.com` returns is problematic considering AWS quotas (there can be only 60 inbound addresses in a security group). Is there really no aggregated blocks or anything available to limit the number of CIDRs we need to allow?

Like (0) Edit Delete Reply

Re: Re: Re: AWS Security Groups Whitelisting

As a reply to myself, location profiles are a partial solution to this. I'm not entirely sure how using location profiles relates to this "For an uninterrupted monitoring experience, it is mandatory to whitelist all our monitoring location IP addresses listed here in your firewall policy. Site24x7 may poll from an alternate location, while a location server is down for maintenance." mention on this page: www.site24x7.com/multi-location-web-site-monitoring.html.

At least for the time being we're limiting IP queries to `city-country.enduserexp.com` ie. `helsinki-fi.enduserexp.com`.

 

Like (0) Edit Delete Reply

Was this post helpful?