AWS Security Group self-referencing

Например вам нужно разрешить доступ на EC2-инстансы по 22 порту с определенных адресов. Для этого достаточно создать лишь одно правило внутри Security Group. А что, если ещё нужно открыть доступ на 22 порт с инстансов друг на друга? Создаем дополнительное правило. Задача усложнится, если вы захотите ограничить круг только теми хостами, к которым применяется данная группа безопасности (SG). На практике это решается очень легко с помощью опции self-referencing.

Об этом и поговорим в этой небольшой статье-заметке.

Содержание

1 Security Group self-referencing
- 1.1 Базовая конфигурация
- 1.2 Использование self-referencing

Security Group self-referencing

Для демонстрации функционала нам понадобится VPC (если вы ещё не успели создать её сами, то воспользуйтесь default VPC).

Примечание: для своих экспериментов я использую собственную VPC, которую создавал в статьях NAT Instance. Часть 1 — Subnets и NAT Instance. Часть 2 — Auto Scaling group (скоро будет доступна).

Итак, приступим.

Базовая конфигурация

Создадим пару EC2-инстансов. Прицепим одну группу безопасности с единственным правилом, разрешающим подключение с вашего домашнего/офисного адреса. Вся конфигурация будет выглядеть примерно так:

resource "aws_instance" "ec2_test_01" {
  count = 2

  ami = "ami-0d712b3e6e1f798ef"
  instance_type = "t2.micro"

  subnet_id = aws_subnet.subnet_public[0].id
  associate_public_ip_address = true
  vpc_security_group_ids = [aws_security_group.ec2_self_referencing.id]

  // укажите имя вашего собственного ключа
  key_name = "your-key"
}

resource "aws_security_group" "ec2_self_referencing" {
  name = "ec2_self_referencing"
  vpc_id = aws_vpc.main.id

  egress {
    cidr_blocks      = ["0.0.0.0/0"]
    ipv6_cidr_blocks = ["::/0"]
    from_port        = 0
    protocol         = "-1"
    to_port          = 0
  }

  ingress {
    cidr_blocks = ["1.2.3.4/32"]
    from_port = 22
    protocol = "tcp"
    to_port = 22
    //self = true
  }
}

output "ec_instance" {
  value = {
    id = aws_instance.ec2_test_01.*.id
    external_ip = aws_instance.ec2_test_01.*.public_ip
    internal_ip = aws_instance.ec2_test_01.*.private_ip
  }
}

resource "aws_instance" "ec2_test_01" {

count = 2

ami = "ami-0d712b3e6e1f798ef"

instance_type = "t2.micro"

subnet_id = aws_subnet.subnet_public[0].id

associate_public_ip_address = true

vpc_security_group_ids = [aws_security_group.ec2_self_referencing.id]

// укажите имя вашего собственного ключа

key_name = "your-key"

}

resource "aws_security_group" "ec2_self_referencing" {

name = "ec2_self_referencing"

vpc_id = aws_vpc.main.id

egress {

cidr_blocks = ["0.0.0.0/0"]

ipv6_cidr_blocks = ["::/0"]

from_port = 0

protocol = "-1"

to_port = 0

}

ingress {

cidr_blocks = ["1.2.3.4/32"]

from_port = 22

protocol = "tcp"

to_port = 22

//self = true

}

output "ec_instance" {

value = {

id = aws_instance.ec2_test_01.*.id

external_ip = aws_instance.ec2_test_01.*.public_ip

internal_ip = aws_instance.ec2_test_01.*.private_ip

}

Примечание: в списке правил есть одно исходящее — egress — которое разрешает любые подключения наружу. Если бы вы создавали SG руками, то такое правило уже присутствовало бы по умолчанию, но Terraform удаляет его автоматически и если оно все же вам необходимо, то придется пересоздать его, что я и делаю. Подробнее читайте в документации — Resource: aws_security_group.

Если зайдете в веб-интерфейс, то ничего особенного не увидите:

А теперь рассмотрим каким образом можно разрешить доступ на сами инстансы друг с друга.

Использование self-referencing

У Terraform есть интересная опция, которой однако нет в web-интерфейсе AWS. Речь идет о self-referencing, принцип работы которой очень прост — она разрешает доступ с тех объектов, к которым эта группа безопасности применяется. В документации Terraform это описывается следующим образом, но лично для меня эта формулировка не столь очевидна:

Whether the security group itself will be added as a source to this ingress rule.

Чтобы посмотреть как изменятся входящие правила, раскомментируйте self = true в коде в начале статьи и заново запустите tarraform apply. А результат будет такой:

Как итог — сама же группа безопасности стала источником в правиле ingress. Вы можете проделать это и вручную и кое-где даже встречаются пошаговые инструкции ¹.

Вот так все просто. Успехов!

Notes:

Setting Up Your Environment for Development Endpoints ↩

comments powered by HyperComments

dissertation plan

2022-07-05 15:25:51

citing a dissertation https://professionaldissertationwriting.org/

phd dissertation editing help

2022-07-05 18:39:11

phd without dissertation https://professionaldissertationwriting.com/

write a dissertation abstract

2022-07-05 21:44:32

dissertation help service general https://helpwithdissertationwritinglondon.com/

dissertation writing services

2022-07-05 23:42:51

custom dissertation writing help https://dissertationwritingcenter.com/

dissertation acknowledgement sample

2022-07-06 01:00:34

help writing a dissertation https://dissertationhelpexpert.com/

dissertation review

2022-07-06 04:01:29

dissertation fellowships https://accountingdissertationhelp.com/

average dissertation length

2022-07-06 06:07:04

doctoral dissertation help qualitative https://examplesofdissertation.com/

dissertation defense presentation

2022-07-06 08:43:16

writing a master's dissertation https://writing-a-dissertation.net/

dissertation help

2022-07-06 12:37:04

18 month doctorate without dissertation https://bestdissertationwritingservice.net/

dissertation proposal

2022-07-06 14:55:18

dissertation writing skills https://businessdissertationhelp.com/

dissertation help online free

2022-07-06 18:46:44

buy dissertations online https://customdissertationwritinghelp.com/

how long is a dissertation paper

2022-07-06 21:40:37

dissertation writing uk https://writingadissertationproposal.com/

dissertation writing tips

2022-07-07 00:39:59

thesis defense https://dissertationhelpspecialist.com/

need help

2022-07-07 04:12:24

18 month doctorate without dissertation https://dissertationhelperhub.com/

uk dissertation writing

2022-07-07 07:20:27

dissertation writing memes https://customthesiswritingservices.com/

what is the most legit online casino

2022-07-25 19:23:41

inferno online casino https://download-casino-slots.com/

motor city online casino

2022-07-25 20:54:26

online casino suomi https://firstonlinecasino.org/

online usa casino

2022-07-26 00:35:59

same day payout online casino https://onlinecasinofortunes.com/

online casino real money free bonus

2022-07-26 02:13:03

snoqualmie casino online https://newlasvegascasinos.com/

online casino test

2022-07-26 08:35:50

online casino canada https://onlinecasinosdirectory.org/

online betting casino

2022-07-26 12:36:17

caesars casino online bonus code https://free-online-casinos.net/

online vegas casino

2022-07-26 15:53:25

online casino real money michigan https://internet-casinos-online.net/

pa online casino list

2022-07-26 18:04:33

casino games online https://cybertimeonlinecasino.com/

no deposit online casino

2022-07-26 19:51:06

wild online casino https://1freeslotscasino.com/

online casino tournaments

2022-07-26 21:59:30

casino online real money https://vrgamescasino.com/

online casino real money usa

2022-07-27 00:52:51

rivers casino online https://casino-online-roulette.com/

river sweep online casino

2022-07-27 05:04:36

nj online casino golden nugget https://casino-online-jackpot.com/

ignition casino online chat

2022-07-27 07:01:30

lincoln online casino https://onlineplayerscasino.com/

hollywood casino online real money

2022-07-27 10:33:55

mgm online casino michigan https://ownonlinecasino.com/

best online casino for usa players

2022-07-27 15:15:26

winstar casino online https://casino8online.com/

vpn review

2022-08-07 15:05:16

zenmate vpn https://freevpnconnection.com/

windscribe vpn

2022-08-07 17:27:09

anonymous vpn https://shiva-vpn.com/

free ios vpn

2022-08-07 20:34:56

free vpn google chrome https://freehostingvpn.com/

best vpn windows

2022-08-07 22:12:34

uf health vpn https://ippowervpn.net/

best vpn firestick

2022-08-08 00:06:56

buy vpn for windows https://imfreevpn.net/

winscribe vpn

2022-08-08 02:12:45

avast secureline vpn buy https://superfreevpn.net/

avast vpn reviews

2022-08-08 06:52:28

free vpn for pc windows 10 https://rsvpnorthvalley.com/

free gay men dating sites missouri

2022-08-23 15:03:21

gay dating site/crosword https://gay-singles-dating.com/

gay fat dating

2022-08-23 16:14:57

free dating gay black men https://gayedating.com/

list of gay dating sites

2022-08-23 18:52:03

black gay dating sites https://datinggayservices.com/

meet singles

2022-08-24 13:05:50

flirt dating site https://freephotodating.com/

local online dating sites

2022-08-24 17:37:04

free dating websites singles https://adult-singles-online-dating.com/

free adult chat rooms

2022-08-24 19:54:52

woman dating sites https://adult-classifieds-online-dating.com/

good dating site

2022-08-24 22:11:36

good dating sites free https://online-internet-dating.net/

eris free downloads chatting apps

2022-08-25 00:19:19

dating web sites for free https://speedatingwebsites.com/

dating site

2022-08-25 07:20:11

online dating sites for free https://lavaonlinedating.com/

plenty fish

2022-08-25 09:21:50

best singles sites https://freeadultdatingpasses.com/

date game online

2022-08-25 11:11:47

date online personal https://virtual-online-dating-service.com/

free dating net

2022-08-25 17:25:50

best online dating website https://onlinedatingservicesecrets.com/

pa online casino real money no deposit bonus

2022-08-30 10:13:23

lucky casino online https://onlinecasinos4me.com/

las vegas casino online

2022-08-30 11:38:11

best michigan online casino https://online2casino.com/

online casino baccarat

2022-08-30 20:21:51

online casino real money no deposit https://casinosonlinex.com/

chat de gay usa avenue

2022-09-02 23:18:38

indian gay chat room https://newgaychat.com/

gay phone chat manhole

2022-09-03 06:10:56

gay male chat site https://gaychatcams.net/

free adult gay chat

2022-09-03 18:13:17

gay chat mesa az https://gay-live-chat.net/

gay men webcam chat broadcast self

2022-09-03 21:49:58

gay chat the ave https://chatcongays.com/

any gay college chat rooms?

2022-09-03 23:37:35

gay chat room in my area https://gayphillychat.com/

free gay chat rooms by zip code

2022-09-04 11:01:20

gay sex chat simulator https://gaymusclechatrooms.com/

gay chat roullete

2022-09-04 18:36:44

chat gay free https://free-gay-sex-chat.com/

naked gay chat rooms

2022-09-04 20:14:57

gay chat phone line locker https://gayinteracialchat.com/

help with a paper

2022-10-20 17:48:32

write my psychology paper https://term-paper-help.org/

can someone write my paper for me

2022-10-20 19:34:35

papers help https://sociologypapershelp.com/

pay someone to write paper

2022-10-20 20:55:15

write my paper canada https://uktermpaperwriters.com/

pay someone to write a paper

2022-10-21 00:05:04

who will write my paper for me https://writepapersformoney.com/

write my paper please

2022-10-21 00:48:14

ghost writer college papers https://write-my-paper-for-me.org/

write my paper in 3 hours

2022-10-21 02:01:06

pay to do my paper https://doyourpapersonline.com/

paper writing services legitimate

2022-10-21 04:07:47

pay someone to do my paper https://top100custompapernapkins.com/

someone write my paper

2022-10-21 06:27:46

where to buy writing paper https://cheapcustompaper.org/

do my paper

2022-10-21 07:37:32

someone write my paper for me https://writingpaperservice.net/

paper help

2022-10-21 09:18:36

pay someone to write my paper https://buyessaypaperz.com/

help writing a paper for college

2022-10-21 11:06:25

pay for paper https://mypaperwritinghelp.com/

help with a paper

2022-10-21 11:57:23

buying papers online college https://writemypaperquick.com/

buy school papers

2022-10-21 14:48:36

do my college paper https://papercranewritingservices.com/

where can you buy resume paper

2022-10-21 16:11:12

help writing my paper https://premiumpapershelp.com/

help writing a college paper

2022-10-21 17:29:51

custom written paper https://ypaywallpapers.com/

paper writing help online

2022-10-21 18:06:47

ghost writer for college papers https://studentpaperhelp.com/

2parochial

2023-01-26 05:52:29

1colossus

coursework plagiarism checker

2023-02-05 15:13:55

coursework online https://brainycoursework.com/

coursework writing service

2023-02-05 18:05:55

coursework science https://writingacoursework.com/

do my coursework for me

2023-02-05 18:57:22

coursework uk https://mycourseworkhelp.net/

coursework psychology

2023-02-05 20:01:26

coursework online https://courseworkdownloads.com/

buy coursework

2023-02-05 21:44:17

coursework planner https://courseworkinfotest.com/

coursework writing

2023-02-05 22:34:39

coursework writing uk https://coursework-expert.com/

coursework info

2023-02-06 01:07:34

coursework help university https://buycoursework.org/

coursework psychology

2023-02-06 03:00:38

creative writing coursework ideas https://courseworkdomau.com/

chatting sites free online dating

2023-02-08 12:31:32

dating site sign up https://freewebdating.net/

best dating sites

2023-02-08 16:48:12

asians dating site https://free-dating-sites-free-personals.com/

plenty of fish login

2023-02-08 17:59:37

plenty fish free dating https://sexanddatingonline.com/

online singles near me

2023-02-08 19:16:46

best dating https://onlinedatingsurvey.com/

free women

2023-02-08 20:13:09

dating web sites for free https://onlinedatingsuccessguide.com/

free chat and dating online

2023-02-08 21:36:50

the dating game https://onlinedatinghunks.com/

dating flirt site free

2023-02-08 22:56:27

senior dating https://datingwebsiteshopper.com/

sabrina carpenter boyfriend

2023-02-09 01:37:56

100% free dating service https://freedatinglive.com/

lesbian mature

2023-02-09 03:00:33

free for online chatting with singles https://freewebdating.net/