This is the case:
X is able to connect to instance Y on TCP port 27017 (allowed by EC2 security group)X has mongo shellY has MongoDB running, accepting connection from X on port 27017
X, use mongo shell to connect to DB instance on Y
X, query from Y and insert to Y. All is successful.Y: remove the rule of port 27017 mentioned in #1 X can still query from/insert to DB hosted on Y. This is not expected.X
Expectation is that EC2 network firewall will terminate connections that violate the rules (the security group policies).
Could you please explain how #7 above happens? And how can that be avoided (so X cannot do anything to Y at that time)?
Thank you.
What is wrong with the third incoming security group rule, which allows all traffic from sg-269afc5e to go to an Ubuntu EC2 instance configured as a web server? All traffic on all ports is being denied into this instance, which overwrites the HTTP rule and makes it redundant.
Go to the security group of the EC2 instance and edit the inbound rule allow 0.0. 0.0/0 for ICMP. It will work.
10.10, and another security group that allows access to port 22 from everyone, everyone will have access to port 22 on the instance. Show activity on this post. When you specify a security group as the source or destination for a rule, the rule affects all instances associated with the security group.
Instances associated with the same security group can't talk to each other unless you add rules allowing it (with the exception being the default security group). you have to add rules to make them able to communicate.
Expectation is that EC2 network firewall will terminate connections that violate the rules
You're making an assumption here. That might be your expectation of how it should work, but where is that backed up in the official AWS documentation? I suggest reading the documentation instead of making assumptions about how this will work.
From the documentation:
An existing flow of traffic that is tracked may not be interrupted when you remove the security group rule that enables that flow. Instead, the flow is interrupted when it's stopped by you or the other host for at least a few minutes (or up to 5 days for established TCP connections). For UDP, this may require terminating actions on the remote side of the flow. An untracked flow of traffic is immediately interrupted if the rule that enables the flow is removed or modified. For example, if you remove a rule that allows all inbound SSH traffic (0.0.0.0/0) to the instance, then your existing SSH connections to the instance are immediately dropped.
If you want to ensure that traffic is immediately interrupted when you remove a security group rule, you can use a network ACL for your subnet — network ACLs are stateless and therefore do not automatically allow response traffic. For more information, see Network ACLs in the Amazon VPC User Guide.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With