Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 2 answers
  • Subscribers 26 subscribers
  • Views 3820 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Business Application Rule for AWS Beanstalk

caldicot

Hi all,

I have set up an web application on AWS Elastic Beanstalk environment.

This application has to access a MySQL server that is located in LAN. Depending on the load Beanstalk is launching several EC2 instances, which are all behind a load balancer.

As the EC2 instances are launched and terminated automatically I think I cannot predict the public IP.

 

As only these servers need access to the MySQL server I would like to restrict the access, so that nobody else is able to connect to the MySQL server.

 

Is there any possibility to create a suiteable firewall policy?

 

thanks,

caldi



This thread was automatically locked due to age.
  • 0

    Anybody here, who can help me on this?

  • 0 in reply to caldicot

    Caldi,

    you can restrict the source network from any to the public IP or dns names.

    Allowing access to Database from external sources is against security principle. You should allow access to a web server on DMZ zone and then have a SQL machine on LAN or a dedicated VLAN.

    Regards

  • 0 in reply to lferrara

    lferrara,

     

    thanks for your reply.

     

    Sorry for not beeing clear in my description. Of course you're right, but I think I have unfortunately no choice.

    The web application has its own database also hosted by AWS.

    So theoretically there is no need to access the local MySQL instance from WAN... but I have to export periodically (every 2 month) some data from the local MySQL instance to the AWS hosted MySQL instance. This is also done by the web application. As both database schemas are different the transformation belongs logically to the web app.

     

    As no one should be able to access the local MySQL server it's not on DMZ, but the web app needs some time access.

    The structure has grown, so it might be not the best solution, but from my point of view putting the local MySQL instance on DMZ does also not solve the problem?

     

    Thanks for your help,

    caldi

  • 0 in reply to caldicot

    Caldi,

    as I wrote from the security prospective, you should not allow access to Databases from an untrusted network. Publish only web app on different zone.

    If your access is every 2 months, you can create a Firewall policy and keep it turned off until you need the access. For Web Application, put them behing WAF module and keep them really updated and restrict the access to it and admin page.

    Regards

  • 0 in reply to lferrara

    Hallo Luk,

     

    again, thanks for your quick reply.

     

    I'll follow your suggestion.

    I already added the the firewall policy and turned it off ...

    Is there a chance to allow traffic for all EC2 instances that might be launched by ElasticBeanstalk without knowing the IP address?

     

    Best,

    caldi