Are Amazon EC2 Private IPs reachable from any instance running in EC2?

networking security amazon-ec2 amazon-web-services
10,647

Solution 1

Amazon EC2 provides security groups which your instance is a part of, then this allows you to grant permissions to other groups of hosts on your account or other external hosts. See the [User Guide][1] -> Concepts -> Network security for a little overview.

Normally in the "default" security group you have full access to other members in the group (i.e. all of your other default hosts) and no external inbound access. Other hosts inside EC2 that are on other accounts, or on your account but not in the "default group will not be able to access your instance.

You can add rules for a security group to grant access to other security groups, or add rules to grant access to IP addresses/ranges.

To answer your question a bit more directly: so long as your security group rules only allow access from the same group, then your instances should be firewalled from access by any other customer, even though they share the same IP space.

[1]: http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/ EC2 User Guide

Solution 2

Gareth - I assume both groups have the SSH port open, thus succesful SSH from one account to the other does not indicate your conclusion. The idea is simple - within a security group - all ports are open - outside access - is per your definition - and for that matter, another group in Amazon is just the same as external access.

Share:
10,647

Related videos on Youtube

jberryman
Author by

jberryman

Brandon Simmons is a flutist, photographer and hacker living in Richmond, VA. Some of my open source code is on github and on hackage, and you can check out my SO careers profile for details.

Updated on September 17, 2022

Comments

  • jberryman
    jberryman over 1 year

    After searching previous questions here, the general consensus seems to be if an instance that I own is assigned a private IP of 10.208.34.55, that only OTHER INSTANCES I OWN can reach it at that address. See:

    How to encrypt traffic between two Amazon EC2 instances?

    Is that correct? So I can treat all my instances as if they are on a LAN and authenticate and trust any machine coming from 10.XXX.XXX.XXX because I am sure I own it?

    I just want to be sure. I'm finding that amazon seems to be rather more interested in waxing poetic about The Cloud and their 3-character abbreviations than actual providing clear technical documentation.

  • byoung
    byoung over 14 years
    What security permissions did you have on the instance? Nobody should be able to access your instance by default, but it's often recommended in tutorials to open up tcp/22 (SSH) to the world so you can access the machine. Use ElasticFox or "ec2-describe-group" to check the permissions for the security group you're launching the instance in ("default"?). You will probably see full access permitted from members of the same security group and probably global SSH access (which you must have added).
  • gareth_bowles
    gareth_bowles over 14 years
    You're right, I did enable global access for port 22 - that seemed secure since you still need the SSH keypair to access the instances.
  • cgseller
    cgseller almost 8 years
    Having it open does make you subject to attacks - meaning your SSH daemon has to listen to the requests coming in and it could lend itself to a Denial of Service attack. This is sometimes mitigated by adding something like fail2ban or some other monitor to the host to watch for failed logins and turn on instance firewall rules via iptables/ipfw.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How do I keep my Amazon Linux EC2 instance /var/log/messages from being filled with dhclient and ec2net messages?
Restrict HTTP Access to Elastic Beanstalk
Where is my pem key file on EC2?
Finding my network's public IP address range
FileZilla FTP to AWS EC2 Windows Server 2012 Instance: Failed to retrieve directory listing
Unable to mount Elastic File System on EC2 (mount.nfs4: Connection timed out)
Troubleshooting "Network is unreachable" from within an Amazon VPC
Can't open port on Amazon EC2 instance
Server not accessible on eth1 (additional network interface) CentOS 7 on AWS EC2
EC2 instance always ask me to enter passphrase for the pem during connection