26

I have to connect my dynamic IP(which changes every time) to the AWS EC2 machine.
For this I mapped my public IP to the domain name(xyz.com), now I am trying to add it to security group.
But AWS security group not allowing to add DNS names. Is it the right process to do it, if not please suggest me.

sk.bng88
  • 393
  • 1
  • 3
  • 8
  • 1
    You can add CIDR blocks for IP ranges to managed prefix lists and then add the list as an inbound rule to security groups. As a bonus, if you need these IP in multiple security groups then this centralizes management too. – Erik Maldonado Nov 12 '20 at 20:32
  • This question was closed with: "We don't allow questions about professional server or networking-related infrastructure administration on Stack Overflow". What would be the proper forum for this question? – mitchus Oct 06 '21 at 14:25
  • 1
    @mitchus https://serverfault.com – StR Jun 28 '22 at 16:19
  • I disagree, but OP should have at least attempted CLI or SDK. This is a coding issue, but on the design side. The forum designations are pretty woolly between superuser and server fault in any case. Apparently actual superusers should use server fault. – mckenzm Apr 15 '23 at 22:07

6 Answers6

18

Security Groups and ACLs are not able to resolve DNS hostnames.

You can use the AWS CLI to script the update of your IP dynamic address:

aws ec2 authorize-security-group-ingress --group-id --protocol tcp --port 22 --cidr /24

http://docs.aws.amazon.com/cli/latest/userguide/cli-ec2-sg.html

Andreas
  • 844
  • 4
  • 10
  • In fact you would make this a cron job. Or run a script from your host prior to connecting. You can also use firewall rules or a concentrator/proxy. – mckenzm Apr 15 '23 at 22:09
7

AWS security rules only allow IP ranges, called CIDRs, that you can update with the AWS CLI. However, you can't simply update the CIDR of an existing rule, you need to:

  1. delete the old rule: aws ec2 revoke-security-group-ingress ...
  2. create a new rule: aws ec2 authorize-security-group-ingress ...

Example

I've found some form of this script useful to encapsulate the steps necessary:

#!/bin/bash

# == Script Config ===================

# The rule description is used to determine the rule that should be updated.
RULE_DESCRIPTION=My-Rule-Description
SECURITY_GROUP_NAME=My-Security-Group-Name

# ====================================

OLD_CIDR_IP=`aws ec2 describe-security-groups --query "SecurityGroups[?GroupName=='"$SECURITY_GROUP_NAME"'].IpPermissions[*].IpRanges[?Description=='"$RULE_DESCRIPTION"'].CidrIp" --output text`
NEW_IP=`curl -s http://checkip.amazonaws.com`
NEW_CIDR_IP=$NEW_IP'/32'

# If IP has changed and the old IP could be obtained, remove the old rule
if [[ $OLD_CIDR_IP != "" ]] && [[ $OLD_CIDR_IP != $NEW_CIDR_IP ]]; then
    aws ec2 revoke-security-group-ingress --group-name $SECURITY_GROUP_NAME --protocol tcp --port 8080 --cidr $OLD_CIDR_IP
fi

# If the IP has changed and the new IP could be obtained, create a new rule
if [[ $NEW_IP != "" ]] && [[ $OLD_CIDR_IP != $NEW_CIDR_IP ]]; then
   aws ec2 authorize-security-group-ingress --group-name $SECURITY_GROUP_NAME --ip-permissions '[{"IpProtocol": "tcp", "FromPort": 8080, "ToPort": 8080, "IpRanges": [{"CidrIp": "'$NEW_CIDR_IP'", "Description": "'$RULE_DESCRIPTION'"}]}]'
fi

Explanation

This method uses the following 3 AWS CLI commands, taken from the example above with the bash scripting removed.

1) Obtain the CIDR IP of a rule in a specific security group by the rule's description. This command uses JMESPath in the query parameter to return only the data we want:

aws ec2 describe-security-groups --query "SecurityGroups[?GroupName=='MY_SECURITY_GROUP_NAME'].IpPermissions[*].IpRanges[?Description=='MY_RULE_DESCRIPTION'].CidrIp" --output text

2) Remove rule for the old CIDR (succeeds even when rule doesn't exist):

aws ec2 revoke-security-group-ingress --group-name MY_SECURITY_GROUP_NAME --protocol tcp --port 80 --cidr 0.0.0.0/32

3) Add rule for the new CIDR (fails when rule already exists):

aws ec2 authorize-security-group-ingress --group-name MY_SECURITY_GROUP_NAME --ip-permissions '[{"IpProtocol": "tcp", "FromPort": 8080, "ToPort": 8080, "IpRanges": [{"CidrIp": "1.1.1.1/32", "Description": "MY_RULE_DESCRIPTION"}]}]'
uɥƃnɐʌuop
  • 14,022
  • 5
  • 58
  • 61
5

I have used this little bash script to poke a hole in the firewall from my current address:

#!/bin/sh
AWS_IP=$(curl http://checkip.amazonaws.com)
aws ec2 authorize-security-group-ingress --group-name my-security-group \
         --protocol tcp --port 22 \
         --cidr $AWS_IP/32

However, this results in a security group full of swiss-cheese holes from random IP addresses, so you'll want to subsequently ask the question about how to not have a security group with temporary addresses that are no longer yours. One way to answer that problem is to set up a VPN which has a (relatively) stable IP address endpoint, and then allow that single address only through the security group.

vielmetti
  • 1,864
  • 16
  • 23
  • On Windows, the first line would be: `for /f %%i in ('"path\to\curl.exe" http://checkip.amazonaws.com') do set MY_CURRENT_IP=%%i` and the 2nd line would end `%MY_CURRENT_IP%/32` – ExactaBox Jan 03 '17 at 11:47
  • 1
    This is a great answer. If you wanted to get fancy, rather than use a VPN you could just have a Lambda function strip out the ingress route after a certain amount of time. – brandonsimpkins Jul 30 '18 at 20:57
  • Is there a way to specify a 'timeout' for a rule? So after some time the rule will be deleted? – Nathan B Dec 16 '21 at 20:13
2

I create a security group for dynamic ips and each time i run my script delete the ip stored in a file.

This is my solution for windows.

SETLOCAL
@echo off
SET mypath=%~dp0
set PATH=%PATH%;"C:\Program Files\Amazon\AWSCLI\";"C:\Program Files (x86)\PuTTY\";"C:\MyApps\gnuwin32\bin"
set GROUPID=  PUT YOUR DYNAMIC SECURITY GROUP ID HERE
rem aws ec2 create-security-group --group-name dynamic_ips --vpc-id vpc-81a519e5 --description "Dynamic Ip Address"
set /p MYIP=<%mypath%\MYIP_NODELETE.txt
aws ec2 revoke-security-group-ingress --group-id %GROUPID% --protocol tcp --port 0-65535 --cidr %MYIP%/24
wget -qO %mypath%\MYIP_NODELETE.txt http://ipinfo.io/ip
set /p MYIP=<%mypath%\MYIP_NODELETE.txt
aws ec2 authorize-security-group-ingress --group-id %GROUPID% --protocol tcp --port 0-65535 --cidr %MYIP%/24
rem cat %mypath%\MYIP_NODELETE.txt
pause
lbolanos
  • 21
  • 1
  • 2
2

Why not create a Bastian host on a public IP and then use that as your jump box instead?

Mike Dixson
  • 21
  • 2
  • 9
    If this is an attempt to answer then use a more assertive text, Question marks don't belong to answers. – Steve Oct 12 '20 at 20:52
0

You can't connect a dynamic ip in the manner you want; every time your ip changes, if you want to allow it thru your security groups you will need to change the setting to your new IP.

You could write a little script that you make into an icon on your desktop however that uses the AWS API to re-allow your current ip to make it easier when it changes.

E.J. Brennan
  • 45,870
  • 7
  • 88
  • 116