1

We have a Heroku Rails app that needs to access a very large Elasticsearch cluster. We have looked at using Heroku Elasticsearch services such as Bonsai, but they grow in price very rapidly. So we have decided to use the AWS Elasticsearch service.

The Elasticsearch cluster may be secured by keeping it completely off the internet, using a reverse proxy or by whitelisting the sources of traffic.

In theory it is possible to whitelist the region a Heroku app is in, by whitelisting the entire underlying AWS region. While this is still a large block of IPs, and it is possible port scanners can run from within AWS, it is still an improvement.

However, the list of IPs to whitelist is quite long (see below). Is there a better way of doing this?

Confirm AWS Region

curl -n -X GET https://api.heroku.com/regions/eu -H "Accept: 
application/vnd.heroku+json; version=3"

{
  "country":"Ireland",
  "created_at":"2013-09-19T01:29:12Z",
  "description":"Europe",
  "id":"ed30241c-ed8c-4bb6-9714-61953675d0b4",
  "locale":"Dublin",
  "name":"eu",
  "private_capable":false,
  "provider":{
    "name":"amazon-web-services",
    "region":"eu-west-1"
  },
  "updated_at":"2016-08-09T22:03:28Z"
}

Download the AWS Regions file

https://ip-ranges.amazonaws.com/ip-ranges.json

Parse it

jq '.prefixes[] | select(.region=="eu-west-1")' < ip-ranges.json

Many entries:

{
  "ip_prefix": "52.218.0.0/17",
  "region": "eu-west-1",
  "service": "S3"
}
{
  "ip_prefix": "54.231.128.0/19",
  "region": "eu-west-1",
  "service": "S3"
}
{
  "ip_prefix": "34.240.0.0/13",
  "region": "eu-west-1",
  "service": "EC2"
}
{
  "ip_prefix": "34.248.0.0/13",
  "region": "eu-west-1",
  "service": "EC2"

etc

port5432
  • 171
  • 2
  • 4
  • 16
  • You are telling us about your attempt to solve a problem using an IP whitelist, but you haven't told us about the actual problem this is intended to solve. What is your motivation for needing to whitelist the heroku app? Allowing access from tens of thousands of IP addresses seems very similar to not doing anything at all. – Michael - sqlbot Jun 14 '17 at 12:15
  • Hi Michael, yes that is true. I will update the question. – port5432 Jun 14 '17 at 17:11

1 Answers1

2

Not 100% sure if I understood your question, but it seems similar to this question from Heroku Help.

From their answer:

The IPs in use by Heroku at any given time are highly dynamic, meaning that the published ranges may cover other IP addresses not currently in use by Heroku. This means that it is often not desirable to open up your firewall to the whole of the AWS region for security reasons. If you wanted to do this regardless you can find the published IP ranges from AWS here: http://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html

For apps in the Common Runtime a better approach would be to use an add-on to provide a static outbound IP address https://elements.heroku.com/addons/categories/network or to rely on secure communication via TLS.

So you could consider using an add-on that provides static IPs.

From my own experience, I have been using QuotaGuard Static and I am a happy customer. It is very easy to use (like many things in Heroku).

However, it might turn out to be an expensive solution if you need to run a lot of queries.

J0ANMM
  • 131
  • 5