Protect outbound rules from EC2 instances using ECS

Question

Protect outbound rules from EC2 instances using ECS

Even when I create EC2 instances on a private subnet, they should be able to send traffic to the Internet if I want to register them in an ECS cluster.

I use a NAT gateway for this, but I still feel insecure that instances can send personal information anywhere in the event of a capture.

What will be the most compact CIDR range that I can use for instance security group instead of 0.0.0.0/0?

+4

security amazon-web-services nat gateway amazon-ecs

kingkong Jul 14 '16 at 6:22

source share

2 answers

Michael - sqlbot · Answer 1 · 2016-07-14T11:26:36+0000

At this point, you may have to rely on the list of public IP ranges for AWS , allowing traffic associated with all CIDR blocks associated with your region.

Part of the resiliency design is for the most part that AWS relies on the ability of its service endpoints not to depend on static addresses and use DNS instead ... but their service endpoints should always be on addresses associated with your region, since there are very few services violate their practice of strict regional separation of service infrastructure.

(CloudFront, Route 53 IAM do, , , , . , .)

freefood89 · Answer 2 · 2016-12-24T14:10:31+0000

- CIDR -. AWS , - /.

AWS = https://docs.aws.amazon.com/general/latest/gr/rande.html

Protect outbound rules from EC2 instances using ECS

More articles: