1

I want to use Kubernetes on some clouds (maybe Amazon, Google, etc). Should I disallow my EC2 machines from accessing the external network? My guess is as follows, and I wonder whether it is correct or wrong?

  1. I should disallow EC2 from accessing the external network. Otherwise, hackers can attack my machines more easily. (true?)
  2. How to do it: I should use a dedicated load balancer (maybe Ingress) with the external IP that my domain name is bound to. The load balancer will then talk with my actual application (which has no external IP and can only access internal network). (true?)

Sorry I am new to Ops, and thanks for any help!

ch271828n
  • 133
  • 5

1 Answers1

2

You’re confusing two things:

  1. EC2 accessing outside world, and
  2. Outside world accessing the EC2

The first one - EC2 accessing outside world - means that the instances initiate the connections out. It typically isn’t an issue, your instances may need access to the world for updates, sending out logs, pulling container images, etc. If they don’t have direct access you’ll have to provide a proxy, vpc endpoints, or some other means to work around the restrictions.

The second one - Outside world accessing the EC2 - limits how to connect to your instances. It’s recommended to use Application Load Balancer in front of your instances for multiple reasons:

  • with kubernetes you don’t know the IPs and ports of your pods, ALB provides a unified frontend IP
  • you can terminate SSL and use Amazon-issued SSL certificates (ACM) on the ALB
  • it protects you from some attacks
  • etc.

So yes, use a Load Balancer on the way in but don’t restrict outside access from the instances unless your security team dictates you to do so and you’re ready to deal with the extra operational and cost overhead (proxies, vpc endpoints, etc).

Hope that helps :)

MLu
  • 23,798
  • 5
  • 54
  • 81
  • Thank you so much, and now I am clear about the difference! So, IMHO, I should (1) assign an external IP for each EC2 server (otherwise they cannot access outside world) (2) Set up some security rules, which disallow outside world from accessing EC2 server directly (say, "disable all inbound TCP 80 traffic) (3) Create a load balancer. Is it correct? Thanks! – ch271828n Oct 24 '20 at 02:48
  • 1
    Best practice is to create *private subnets* and put your EC2s in there. They will then access outside through a NAT gateway. Only the ALB will be in *public subnets* with public IPs. – MLu Oct 24 '20 at 02:51
  • Thanks very much! I will have a look at "private subnets". – ch271828n Oct 24 '20 at 02:54