I run a service on my EC2 instance and I want to setup an inbound rule that only allows my lambda function to access it. The security group allows me to restrict access by a specific IP, but I don't think that lambda functions have a specific IP assigned. Is there a way to do what I want?
我在我的EC2实例上运行一个服务,我想设置一个只允许我的lambda函数访问它的入站规则。安全组允许我限制特定IP的访问,但我不认为lambda函数具有指定的特定IP。有办法做我想要的吗?
2 个解决方案
#1
19
If you are enabling VPC access for your Lambda function, as per this blog post, then you will create a security group for your Lambda functions to use within your VPC. All you need to do at that point is go into the security group your EC2 instance is using and grant access to the security group the Lambda function is using. This is the method I recommend.
如果您为Lambda函数启用VPC访问,则根据此博客文章,您将为您的VPC中的Lambda函数创建一个安全组。此时您需要做的就是进入您的EC2实例正在使用的安全组,并授予对Lambda函数正在使用的安全组的访问权限。这是我推荐的方法。
If you are not using VPC access then your EC2 instance would need to be publicly accessible and you would basically be going over the internet to access the EC2 instance from the Lambda function. If that's the case then there is no good way to restrict that in the security group. You could (with difficulty) open it up to only requests that originate within AWS, but that still leaves it open to all other users of AWS. If you must go over the internet to access your EC2 instance from Lambda then it would be best to send some sort of security token with each request Lambda sends, and ignore any requests on the EC2 server that don't contain that security token.
如果您不使用VPC访问,则您的EC2实例需要可公开访问,您基本上可以通过Internet从Lambda函数访问EC2实例。如果是这种情况,则没有好的方法来限制安全组中的那个。您可以(很难)将其打开,只发送到源自AWS的请求,但仍然可以向AWS的所有其他用户开放。如果您必须通过互联网从Lambda访问您的EC2实例,那么最好为Lambda发送的每个请求发送某种安全令牌,并忽略EC2服务器上不包含该安全令牌的任何请求。
#2
0
A Lambda with no VPC association will be on the Internet and assigned with an arbitrary Public IP (obviously from Amazon Registered IPs) which will not be a fix address. So it is almost impossible to whitelist that IP in your EC2's SG since next time that Lambda spins up the IP could change and is not predictable.
没有VPC关联的Lambda将在Internet上并分配有任意公共IP(显然来自Amazon注册IP),这不是修复地址。因此,几乎不可能将EC2的SG中的IP列入白名单,因为下一次Lambda旋转IP可能会发生变化并且无法预测。
However there is a way to Partially limit the Network Access only to the Resources Located in the VPC including Lambda's(since components will be assigned with Internal-IPs). Let's say you want that EC2 server only be accessible from Internal vpc network, therefor you place it in your Internal Subnet with no Public IP assigned to it. Now You can set SG on your EC2 to only accept IP from the Internal subnet CIDR range of your VPC. By Associating Lambda to that VPC and Placing it in the Private Subnet, Lambda will get arbitrary IP from Internal CIDR Range of your VPC which obviously falls in the SG range already configured for your EC2 (If you are going to have lots of Lambda in parallel just make sure you have enough amount of IPs within your defined CIDR range).
但是,有一种方法可以将网络访问部分限制为位于VPC中的资源(包括Lambda)(因为组件将分配有内部IP)。假设您希望只能从内部vpc网络访问EC2服务器,因此您将其放在内部子网中,而不分配公共IP。现在您可以将EC2上的SG设置为仅接受来自VPC的内部子网CIDR范围的IP。通过将Lambda与该VPC关联并将其放置在私有子网中,Lambda将从您的VPC的内部CIDR范围获得任意IP,这显然属于已为您的EC2配置的SG范围(如果您将要并行拥有大量Lambda)只需确保在您定义的CIDR范围内有足够的IP数量)。
If you want your components to Communicate Internally meanwhile be able to access the Internet as well you can add a NAT Gateway Routable to IGW and then you will add Routing rule to the Internal Subnets to point to your NAT Gateway. Therefore all your component within the Internal subnet will be assigned with a Routing Tables pointing to NAT and subsequently the Internet.
如果您希望组件在内部进行通信同时也能够访问Internet,则可以向IGW添加NAT网关路由,然后将路由规则添加到内部子网以指向NAT网关。因此,内部子网中的所有组件都将分配一个指向NAT并随后指向Internet的路由表。