3

I'm researching privacy-compliant high-security deployment options for AWS VPC.

I'm looking for a method of tightening outbound traffic from the private subnets at the NAT instance. For example, how could I limit outbound traffic from behind the NAT to only allow calls to AWS S3? I'm planning on creating a custom NAT AMI using Shorewall driven by Ansible and Packer.

It seems there isn't a solid list of S3 IP addresses, so white listing by IP is out. White listing by protocol isn't enough for this; the endpoints should be limited to AWS' API space, at least. White listing by host name certainly won't work beyond the first IP on the first DNS query.

Options seem to be:

  1. Try to cobble together a list of IPs.
  2. Ask AWS for a list.
  3. Maybe I could use HAProxy or similar to do a reverse proxy to S3, skipping the traditional NAT altogether. Supposing the only outbound traffic needed from inside the private subnets is HTTP(S)-based, maybe this would work and a limit to the S3 host name(s) could be done? Things like package updates and NTP could be done with a staging point (instance) located in the public subnet, I suppose.

Please let me know if you'd like further clarification of my needs.

Do you know how to allow only traffic to S3 (and dependencies) from inside the private subnets of an EC2 VPC?

Thanks, Joshua

P.S. Oh yeah.. If it can be highly available, that would be great, too. I'm planning one "NAT" or "NAT-like" instance in each of three zones of a single region. I was planning to use an Autoscaling group to keep those three instances alive, but maybe you have another idea. Originally, I was going to use three ENIs, one per AZ, which float via Corosync & Pacemaker for the NAT. I was hoping to skirt the need to update route tables upon NAT failure in a zone by routing to the ENI.

/endblabbing

Relevant links:

http://www.shorewall.net/4.2/FAQ.htm#faq39 EC2 VPC without NAT?

Community
  • 1
josh-wrale
  • 31
  • 4
  • Yo. Funny 5 months later I'm asking the similar question. May I ask why you use a NAT? I'm just sending my traffic off to the internet gateway directly. – Sleeper Smith Apr 23 '14 at 23:46
  • Btw, here's the question. http://serverfault.com/questions/590421/aws-vpc-internet-gateway-and-aws-services/590425 I'm not using a NAT tho. – Sleeper Smith Apr 23 '14 at 23:47

1 Answers1

2

Instead of whitelisting S3 traffic at the NAT instance, I suggest you configure VPC endpoints for S3:

That way, your EC2 nodes can access S3 directly on the VPC private network instead of going through the NAT.

If you still want a list of IPs used by S3, you can use the AWS CLI command describe-prefix-lists:

aws ec2 describe-prefix-lists

which will give an output like

{
    "PrefixLists": [
        {
            "PrefixListName": "com.amazonaws.eu-west-1.s3", 
            "Cidrs": [
                "54.231.128.0/19"
            ], 
            "PrefixListId": "pl-6da54004"
        }
    ]
}

The list is for the region used by AWS CLI. My sample shows the current output for eu-west-1, You can specify a different region by passing the --region parameter, e.g. aws --region us-east-1 ec2 describe-prefix-lists.

However, please note that the IP range for a service may change from time to time.

markusk
  • 485
  • 6
  • 9