需要帮助白名单IP地址范围 – AWS EC2

huangapple go评论81阅读模式
英文:

Need Help Whitelisting IP Address Range - AWS EC2

问题

我在努力理解如何正确格式化白名单IP地址范围以访问托管在AWS EC2实例上的数据库和Web应用程序。

例如,如果这是用户提供的IP地址:23.283.149.136

我应该如何将用户的IP地址范围加入白名单?我知道IP地址会有微小的变化。

是应该使用23.283.149.0/24?还是23.283.149.0/32?

我最终要求用户提供他们的工作或家庭IP地址,以便将其加入EC2实例的白名单,并且一直在处理他们的IP地址变化的问题。

英文:

I am struggling to understand the correct format for whitelisting IP address ranges to a database and webbapp hosted on an AWS EC2 instance.

For example, if this is a users given IP address: 23.283.149.136

How would I whitelist the users IP address range? I know IP addresses change subtle amounts.

Would it be 23.283.149.0/24? Or 23.283.149.0/32?

I ultimately ask the users for their work or home IP address to whitelist for the EC2 instance and have been having issues with their IP addresses changing.

答案1

得分: 1

你需要获取更多关于它们所在子网的信息,并将整个子网列入白名单。在你的示例中,列入白名单CIDR 23.283.149.0/24 将允许IP地址的最后一个八位组发生变化,但它们仍然可以连接。以下是我以前遇到的一些用例:

  1. 列入白名单家庭路由器IP地址。这通常以家庭路由器分配的广域网(WAN)IP地址的形式出现,不会更改。在这种情况下,列入白名单该地址的/32应该没问题。如果他们决定搬家或更换互联网提供商,您将不得不手动更改白名单。
  2. 企业IP子网。这些可以更广泛,例如/24,以允许更广泛范围的子网。

当情况变得难以管理的是,如果您需要容纳远程用户,例如数字游牧民族,他们会从咖啡店连接。在这种情况下,他们的IP地址每天都会更改,有时一天多次,这将变得难以管理。

因此,许多人只允许0.0.0.0/0,这是端口443或80上的所有IP地址,并在前面放置过滤器以阻止已知的恶意IP地址。AWS WAF 是可以用来帮助处理这个问题的产品之一。

英文:

You have to get more information on which subnet they are on, and whitelist that entire subnet. In your example, whitelisting the CIDR 23.283.149.0/24 would allow the last octet of the IP address to change and they would still be able to connect. Here are a couple of use cases I have run in to in the past:

  1. Whitelisting a home router IP address. This usually comes in the form of a Wide Area Network (WAN) IP address that is assigned to the home router and doesn't change. In this case, whitelisting a /32 of that address should be fine. If they decide to move homes or internet providers, you will have to manually change the whitelist.
  2. Corporate IP subnets. These can be wider for example /24 to allow for wider ranges of subnets.

Where this gets untenable is if you have to accomodate remote users, for example someone who is a digital nomad and connects from coffee shop. In that case their IP address would change every day, sometimes multiple times a day, and would be impossible to manage.

As a result, many just allow 0.0.0.0/0 which is all IP addresses on ports 443 or 80, and place filters in front that block out known bad IP addresses. AWS WAF is one product that could be used to help with this.

huangapple
  • 本文由 发表于 2023年3月4日 04:37:59
  • 转载请务必保留本文链接:https://go.coder-hub.com/75631672.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定