0

Let's say I've a private subnet with bunch of EC2 instances. These EC2 instances make API calls with external partner, say api.somevendor.com, whose IP address might/will change. How do I configure my AWS security group to communicate to only this partner host?

Foo Bar
  • 131
  • 2
  • 8
  • 1
    This answer might help - https://stackoverflow.com/q/33339057/866021 – Adil B Jan 18 '18 at 01:26
  • @Adil B that question has to do with setting dynamic DNS for your own IP. This is how to deal with the changing IP of an external service endpoint. You cannot run those scripts on a vendor external service. – Rodrigo Murillo Jan 18 '18 at 02:23

1 Answers1

1

You have to open the security group to the IPs and ports provided by the vendor service. They should provide you with that information, of course.

If you are concerned about what happens if the vendor later changes those IPs, you will have to change them again. Manually. It would be difficult if not impossible to script anything here.

A reputable vendor will provide you with notice of any upcoming changes to their service ips. Make sure you are on their email or technical notification list.

Rodrigo Murillo
  • 13,080
  • 2
  • 29
  • 50
  • Thanks Rodrigo. That would be the ideal case i.e vendor can notify me about IP changes. – Foo Bar Jan 18 '18 at 18:10
  • You bet. Most will have a customer email list, or technical notices list. Just make sure you are on it. Kindly accept answer if you found it helpful. – Rodrigo Murillo Jan 18 '18 at 18:44
  • Can this issue be solved using external/3rd party solution? Like Firewall? – Foo Bar Jan 22 '18 at 20:53
  • No. There is no technology that would tell you what IPs have been assigned to an external service after the fact. A human has to tell you, and you have to update the security group manually. – Rodrigo Murillo Jan 22 '18 at 21:29
  • Probably no native solution in AWS. https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Create-Custom-URL-Categories/ta-p/54355 perhaps would help here? – Foo Bar Jan 22 '18 at 23:59
  • No, nothing anywhere. Only the provider can know their network and changes to their IP address scheme. – Rodrigo Murillo Jan 23 '18 at 02:27
  • Could you not create a lambda to do a dns lookup and then update the IPs on the security group. Then run it at an approved schedule, hourly, daily etc – Ronnie Hyslop Oct 02 '20 at 13:31