EC2 with Kubernetes - Should I disallow EC2 from accessing external networks to improve safety?

Solution 1:

You’re confusing two things:

  1. EC2 accessing outside world, and
  2. Outside world accessing the EC2

The first one - EC2 accessing outside world - means that the instances initiate the connections out. It typically isn’t an issue, your instances may need access to the world for updates, sending out logs, pulling container images, etc. If they don’t have direct access you’ll have to provide a proxy, vpc endpoints, or some other means to work around the restrictions.

The second one - Outside world accessing the EC2 - limits how to connect to your instances. It’s recommended to use Application Load Balancer in front of your instances for multiple reasons:

  • with kubernetes you don’t know the IPs and ports of your pods, ALB provides a unified frontend IP
  • you can terminate SSL and use Amazon-issued SSL certificates (ACM) on the ALB
  • it protects you from some attacks
  • etc.

So yes, use a Load Balancer on the way in but don’t restrict outside access from the instances unless your security team dictates you to do so and you’re ready to deal with the extra operational and cost overhead (proxies, vpc endpoints, etc).

Hope that helps :)