AWS: how to add autoscaling ECS instances to a security group for a proxy server?
Okay, I'm frustrated by this because it seems like it should be easy... we're running a service which needs access to a proxy server, which is an EC2 instance on a VPC we own. The service is running on ECS containerized instances with their own VPC, and they need to have access to that proxy server, which is on its own VPC.
This sounds like a candidate for peer linkage, but I'm a bit vague on that and it sounds like we would have to manually disambiguate private CIDR ranges (10.0.X.X). Now, the proxy server is open to internet connections (but protected by its security group settings) and the service instances have automatically-assigned public IP addresses and an internet gateway, but I can't control those public addresses (they seem to be pulled from Amazon's global list) so I can't just apply a CIDR range to the proxy's security group ingress rules.
I feel like this SHOULD be very easy, something like being able to add a rule like "any request coming from a public IP within this VPC is OK" but that seems impossible.
What am I missing? How can I do this? Is there a way to create a dummy security group for all the ECS instances (that's not a "VPC security group") and then add that SG to the proxy's ingress rules?
amazon-web-services amazon-ec2 amazon-ecs vpc aws-security-group
asked Nov 13 '18 at 0:57
vputzvputz
113
add a comment |
Okay, I'm frustrated by this because it seems like it should be easy... we're running a service which needs access to a proxy server, which is an EC2 instance on a VPC we own. The service is running on ECS containerized instances with their own VPC, and they need to have access to that proxy server, which is on its own VPC.
This sounds like a candidate for peer linkage, but I'm a bit vague on that and it sounds like we would have to manually disambiguate private CIDR ranges (10.0.X.X). Now, the proxy server is open to internet connections (but protected by its security group settings) and the service instances have automatically-assigned public IP addresses and an internet gateway, but I can't control those public addresses (they seem to be pulled from Amazon's global list) so I can't just apply a CIDR range to the proxy's security group ingress rules.
I feel like this SHOULD be very easy, something like being able to add a rule like "any request coming from a public IP within this VPC is OK" but that seems impossible.
What am I missing? How can I do this? Is there a way to create a dummy security group for all the ECS instances (that's not a "VPC security group") and then add that SG to the proxy's ingress rules?
amazon-web-services amazon-ec2 amazon-ecs vpc aws-security-group
asked Nov 13 '18 at 0:57
vputzvputz
113
add a comment |
Okay, I'm frustrated by this because it seems like it should be easy... we're running a service which needs access to a proxy server, which is an EC2 instance on a VPC we own. The service is running on ECS containerized instances with their own VPC, and they need to have access to that proxy server, which is on its own VPC.
This sounds like a candidate for peer linkage, but I'm a bit vague on that and it sounds like we would have to manually disambiguate private CIDR ranges (10.0.X.X). Now, the proxy server is open to internet connections (but protected by its security group settings) and the service instances have automatically-assigned public IP addresses and an internet gateway, but I can't control those public addresses (they seem to be pulled from Amazon's global list) so I can't just apply a CIDR range to the proxy's security group ingress rules.
I feel like this SHOULD be very easy, something like being able to add a rule like "any request coming from a public IP within this VPC is OK" but that seems impossible.
What am I missing? How can I do this? Is there a way to create a dummy security group for all the ECS instances (that's not a "VPC security group") and then add that SG to the proxy's ingress rules?
amazon-web-services amazon-ec2 amazon-ecs vpc aws-security-group
asked Nov 13 '18 at 0:57
vputzvputz
113
Okay, I'm frustrated by this because it seems like it should be easy... we're running a service which needs access to a proxy server, which is an EC2 instance on a VPC we own. The service is running on ECS containerized instances with their own VPC, and they need to have access to that proxy server, which is on its own VPC.
This sounds like a candidate for peer linkage, but I'm a bit vague on that and it sounds like we would have to manually disambiguate private CIDR ranges (10.0.X.X). Now, the proxy server is open to internet connections (but protected by its security group settings) and the service instances have automatically-assigned public IP addresses and an internet gateway, but I can't control those public addresses (they seem to be pulled from Amazon's global list) so I can't just apply a CIDR range to the proxy's security group ingress rules.
I feel like this SHOULD be very easy, something like being able to add a rule like "any request coming from a public IP within this VPC is OK" but that seems impossible.
What am I missing? How can I do this? Is there a way to create a dummy security group for all the ECS instances (that's not a "VPC security group") and then add that SG to the proxy's ingress rules?
amazon-web-services amazon-ec2 amazon-ecs vpc aws-security-group
amazon-web-services amazon-ec2 amazon-ecs vpc aws-security-group
asked Nov 13 '18 at 0:57
vputzvputz
113
asked Nov 13 '18 at 0:57
vputzvputz
113
asked Nov 13 '18 at 0:57
vputzvputz
113
asked Nov 13 '18 at 0:57
vputzvputz
113
asked Nov 13 '18 at 0:57
vputzvputz
113
113
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53272248%2faws-how-to-add-autoscaling-ecs-instances-to-a-security-group-for-a-proxy-server%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53272248%2faws-how-to-add-autoscaling-ecs-instances-to-a-security-group-for-a-proxy-server%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
