We have a Heroku Rails app that needs to access a very large Elasticsearch cluster. We have looked at using Heroku Elasticsearch services such as Bonsai, but they grow in price very rapidly. So we have decided to use the AWS Elasticsearch service.
The Elasticsearch cluster may be secured by keeping it completely off the internet, using a reverse proxy or by whitelisting the sources of traffic.
In theory it is possible to whitelist the region a Heroku app is in, by whitelisting the entire underlying AWS region. While this is still a large block of IPs, and it is possible port scanners can run from within AWS, it is still an improvement.
However, the list of IPs to whitelist is quite long (see below). Is there a better way of doing this?
Confirm AWS Region
curl -n -X GET https://api.heroku.com/regions/eu -H "Accept:
application/vnd.heroku+json; version=3"
{
"country":"Ireland",
"created_at":"2013-09-19T01:29:12Z",
"description":"Europe",
"id":"ed30241c-ed8c-4bb6-9714-61953675d0b4",
"locale":"Dublin",
"name":"eu",
"private_capable":false,
"provider":{
"name":"amazon-web-services",
"region":"eu-west-1"
},
"updated_at":"2016-08-09T22:03:28Z"
}
Download the AWS Regions file
https://ip-ranges.amazonaws.com/ip-ranges.json
Parse it
jq '.prefixes[] | select(.region=="eu-west-1")' < ip-ranges.json
Many entries:
{
"ip_prefix": "52.218.0.0/17",
"region": "eu-west-1",
"service": "S3"
}
{
"ip_prefix": "54.231.128.0/19",
"region": "eu-west-1",
"service": "S3"
}
{
"ip_prefix": "34.240.0.0/13",
"region": "eu-west-1",
"service": "EC2"
}
{
"ip_prefix": "34.248.0.0/13",
"region": "eu-west-1",
"service": "EC2"
etc