Is it possible to block an entire country from access my website within a security group rule in an Amazon EC2 instance instead of using iptables or something else?
As the others commented, it is hard to block the traffic from particular countries, if someone is smart enough to use a proxy.
But you can use some simple ways to filter most traffic from a range of IPs (not all customers know to use proxy)
One is to set Network ACL in aws. Please go though aws document Network ACLs as a start.
Another way if you can manage route 53 for your website, enable geolocation route policy and transfer the traffic from some countries to a fake website. You can go through the document here Choosing a Routing Policy
Let's say I have 20 servers at Amazon AWS and I also have AWS ELB setup for these servers. I heard that HAProxy is reliable and fast TCP/HTTP Load Balancer, so question is:
do I need to have HAProxy installed in each EC2 instances while I have AWS ELB?
What is the benefit of having both ELB and Haproxy at the same time?
Thanks
There are a few scenarios where people chose their own load balancing solution like HAProxy than ELB:
Financial transactions: ELB is an opaque service. Logs are not provided. So if you are missing transactions, you won't know if ELB dropped them or not.
Doesn't work well with traffic spikes: ELBs scaling takes at least 5 minutes. If your application traffic is doubling every 5-10 minutes, it will do well. But if it is at a constant rate and you will get a spike all of a sudden, then you will have problems with ELB.
ELBs can be slower than running your own Loadbalancing: In my environment, I got 15% performance boost by using HAProxy/Nginx (for SSL termination) instead. It was roughly 30ms per call, but keep in mind I was using SSL so I use CPU power.
ELBs only do round-robin load balancing and HAProxy has a lot more.
HAProxy also has ton more configurations that ELB does not support. It depends if one needs them for their application.
In one suite of applications, I have both running. ELB->haproxy->A suite of apps. In my case the following occurs:
ELB translates HTTPS to http
HAproxy targets to the app servers based on path
The app servers run in plain old http
The upside to this is that I can move around the apps without changing their URLs
The downside is that ELB isn't a fixed IP address so if you need to point to it from an IP adress instead of a cname you can't do it.
Short answer: No you don't need HAProxy. Go with an ELB.
tldr;
Yes HAProxy is powerful and tested.
First of all, you would need to have a separate EC2 HAProxy instance (as opposed to having HAProxy installed on every EC2 instance you need to balance). In essence an ELB is equivalent to an EC2 instance loaded with some kind of load balancing software.
Second, having both ELBs and HAProxy balancing instances in your environment is a rare use case. You might come to a point that you need more fine grained access and the ability to configure more on your load balancers. It purely depends on what you're doing and what problems an ELB might be giving you. Google to read through possible use cases.
I'm using an ELB and Haproxy behind.
When a customer uses my webservices from a unique IP, ELB redirects all his requests to the same hosts. It doesn't scale. (I supposed it's a hash from the src ip or something like that).
The haproxy has another balancer algorithm.
I keep the ELB for HA (1 haproxy / availability zone). And each haproxy instance redispatchs to region zone backend servers
Can an Amazon EC2 instance process requests from and return results to an external client which may a browser or non-browser application? (I know that the EC2 instance will require a IP address and must be able to create a socket and bind to a port in order to do this.)
I'm considering an Amazon EC2 instance because the server application is not written in PHP, Ruby or any other language that conventional web hosting services support by default.
Sure it will. Just setup the security group the right way to allow your clients to connect.
Take a look at this guide: Amazon Elastic Compute Cloud - Security Groups
Also keep in mind: It's not possible to change the policy group after you created the EC2 instance. This feature is available for VPC instances only. See http://aws.amazon.com/vpc/faqs/#S2 for more information.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 3 years ago.
Improve this question
Currently moving to Amazon EC2 from another VPS provider. We have your typical web server / database server needs. Web servers in front of our database servers. Database servers are not directly accessible from the Internet.
I am wondering if there is any reason to put these servers into an AWS Virtual Private Cloud (VPC) instead of just creating the instances and using security groups to firewall them off.
We are not doing anything fancy just a typical web app.
Any reason to use a VPC or not using a VPC?
Thanks.
NOTE: New accounts in AWS launch with a "default VPC" enabled immediately, and make "EC2-Classic" unavailable. As such, this question and answer makes less sense now than they did in August 2012. I'm leaving the answer as-is because it helps frame differences between "EC2-Classic" and the VPC product line. Please see Amazon's FAQ for more details.
Yes. If you're security conscious, a heavy CloudFormation user, or want complete control over autoscaling (as opposed to Beanstalk, which abstracts certain facets of it but still gives you complete access to the scaling parameters), use a VPC. This blog post does a great job summarizing both the pros and cons. Some highlights from the blog post (written by kiip.me):
What’s Wrong with EC2?
All nodes are internet addressable. This doesn’t make much sense for nodes which have no reason to exist on the global internet. For example: a database node should not have any public internet hostname/IP.
All nodes are on a shared network, and are addressable to each other. That means an EC2 node launched by a user “Bob” can access any of EC2 nodes launched by a user “Fred.” Note that by default, the security groups disallow this, but its quite easy to undo this protection, especially when using custom security groups.
No public vs private interface. Even if you wanted to disable all traffic on the public hostname, you can’t. At the network interface level each EC2 instance only has one network interface. Public hostnames and Elastic IPs are routed onto the “private” network.
What's Great About the VPC
First and foremost, VPC provides an incredible amount of security compared to EC2. Nodes launched within a VPC aren’t addressable via the global internet, by EC2, or by any other VPC. This doesn’t mean you can forget about security, but it provides a much saner starting point versus EC2. Additionally, it makes firewall rules much easier, since private nodes can simply say “allow any traffic from our private network.” Our time from launching a node to having a fully running web server has gone from 20 minutes down to around 5 minutes, solely due to the time saved in avoiding propagating firewall changes around.
DHCP option sets let you specify the domain name, DNS servers, NTP servers, etc. that new nodes will use when they’re launched within the VPC. This makes implementing custom DNS much easier. In EC2 you have to spin up a new node, modify DNS configuration, then restart networking services in order to gain the same effect. We run our own DNS server at Kiip for internal node resolution, and DHCP option sets make that painless (it just makes much more sense to type east-web-001 into your browser instead of 10.101.84.22).
And finally, VPC simply provides a much more realistic server environment. While VPC is a unique product to AWS and appears to “lock you in” to AWS, the model that VPC takes is more akin to if you decided to start running your own dedicated hardware. Having this knowledge beforehand and building up the real world experience surrounding it will be invaluable in case you need to move to your own hardware.
The post also lists some difficulties with the VPC, all of which more or less relate to routing: Getting an internet gateway or NAT instance out of the VPC, communicating between VPCs, setting up a VPN to your datacenter. These can be quite frustrating at times, and the learning curve isn't trivial. All the same, the security advantages alone are probably worth the move, and Amazon support (if you're willing to pay for it) is extremely helpful when it comes to VPC configuration.
Currently VPC has some useful advantages over EC2, such as:
multiple NICs per instance
multiple IP's per NIC
'deny'-rules in security-groups
DHCP options
predictable internal IP ranges
moving NICs and internal IPs between instances
VPN
Presumably Amazon will upgrade EC2 with some of those features as well, but currently they're VPC-only.
VPCs are useful if your app needs to access servers outside of EC2, e.g. if you have a common service that's hosted in your own physical data center and not accessible via the internet. If you're going to put all of your web and DB servers on EC2, there's no reason to use VPC.
Right now VPC is the only way to have internal load balancers
If you choose RDS to provide your database services, you can configure DB Security Groups to allow database connections from a given EC2 Security Groups, then even if you have dynamic IP addresses in your EC2 cluster, the RDS will automatically create the firewall rules to allow connections only from your instances, reducing the benefit of a VPS in this case.
VPS in the other hand is great when your EC2 instances have to access your local network, then you can establish a VPN connection between your VPS and your local network, controlling the IP range, sub networks, routes and outgoing firewall rules, which I think is not what you are looking for.
I would also highly recommend trying the Elastic Beanstalk, which will provide a console that makes easy to setup your EC2 cluster for PHP, Java and .Net applications, enabling Auto Scaling, Elastic Load Balancer and Automatic Application Versioning, allowing easy rollback from bad deployments.
You have raised a good concern here.
I would like to focus on the viability in terms of cost...
What about the cost factor?
I think You will be paying for that server per hour. Even if you pick $20-$50 dollars a month instance it will be something you will pay the rest of your server life. The VPN server is something you can easily set on old hardware very cheap and even free for open source solution.
Adding VPN to existing AWS servers park make sense, setting a solo VPN server on AWS doesn't. I don't think it is the best cost-effective option but that just my opinion.
Thanks,
Alisa
I have a free Amazon EC2 instance. And I installed Apache web server on it. I have the DNS record for my domain point to the ip for the EC2 instance. I can not access to my website. Then I looked up and allow the http inbound. But I still failed to access my web? What might be the reason. Anybody gives me a clue?
Go to the AWS management console and look at the Security Group the instance is in. Then make sure you have the port open that you are trying to connect to (most likely 80). To open it to the world set the ip range to 0.0.0.0/0 and to open it to a specific ip (like only your house) set it to xxx.xxx.xxx.xxx/32.
That is almost always the reason people have problems connecting when they are new to AWS. I wrote this post, which should help get you setup.