识别防火墙白名单的正确AWS IP范围

huangapple go评论58阅读模式
英文:

Identifying the Correct AWS IP Range for a Firewall Whitelist

问题

I currently have an AWS Lambda function I’m configuring to connect with our sFTP server. I have an account created, but I need a list or range of IP addresses to get whitelisted in our firewall. AWS posts its outbound IP address ranges here…

https://ip-ranges.amazonaws.com/ip-ranges.json

That’s great, but the only IP address I can seem to pull from my Lambda function does not fall into any of these ranges. I presume it’s an internal IP address. Does anyone have experience mapping internal AWS cloud IPs to external ones listed in the ranges? Thank you.

英文:

I currently have an AWS Lambda function I’m configuring to connect with our sFTP server. I have an account created, but I need a list or range of IP addresses to get whitelisted in our firewall. AWS posts its outbound IP address ranges here…

https://ip-ranges.amazonaws.com/ip-ranges.json

That’s great, but the only IP address I can seem to pull from my Lambda function does not fall into any of these ranges. I presume it’s an internal IP address. Does anyone have experience mapping internal AWS cloud IPs to external ones listed in the ranges? Thank you.

答案1

得分: 2

Your Lambda should be attached to a VPC. Then from the VPC the IP Address(es) of your NAT Gateway(s) will be the one that your Lambda will be coming from.

If your sFTP server is also in AWS you may want to also set it up with a Private Route, so you don't have to cross the internet. But this would require your IP addresses in your VPC be in separate range of the sFTP server.

英文:

Your Lambda should be attached to a VPC. Then from the VPC the IP Address(es) of your NAT Gateway(s) will be the one that your Lambda will be coming from.

If your sFTP server is also in AWS you may want to also set it up with a Private Route, so you don't have to cross the internet. But this would require your IP addresses in your VPC be in separate range of the sFTP server.

答案2

得分: 0

你需要找到你的VPC的公共IP。这可以是你的NAT网关或弹性IP。

一旦你找到了这个IP地址,你可以在https://www.queryaws.net上查找这个IP,它会提供给你子网、区域和服务的信息。

你可以将这个单个主机添加到你的防火墙允许列表中,但最好使用子网,甚至更好的方法是使用区域和服务,然后在https://www.queryaws.net上使用属性搜索查找与此匹配的所有前缀。

英文:

You need to find the public IP for you VPC. This could be you NAT Gateway or an Elastic IP.

Once you find this IP address you can lookup the IP on https://www.queryaws.net and it'll give you the subnet, region and service.

You can use that single host in your FW allow list but it's better to use the subnet or even better you can take the region and service and do look up all the prefixes that match this using the Attribute search on https://www.queryaws.net too.

huangapple
  • 本文由 发表于 2023年4月4日 08:32:36
  • 转载请务必保留本文链接:https://go.coder-hub.com/75924660.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定