EC2 with Kubernetes - Should I disallow EC2 from accessing external networks to improve safety?

amazon-ec2 kubernetes cloud google-cloud-platform

Solution 1:

You’re confusing two things:

  1. EC2 accessing outside world, and
  2. Outside world accessing the EC2

The first one - EC2 accessing outside world - means that the instances initiate the connections out. It typically isn’t an issue, your instances may need access to the world for updates, sending out logs, pulling container images, etc. If they don’t have direct access you’ll have to provide a proxy, vpc endpoints, or some other means to work around the restrictions.

The second one - Outside world accessing the EC2 - limits how to connect to your instances. It’s recommended to use Application Load Balancer in front of your instances for multiple reasons:

  • with kubernetes you don’t know the IPs and ports of your pods, ALB provides a unified frontend IP
  • you can terminate SSL and use Amazon-issued SSL certificates (ACM) on the ALB
  • it protects you from some attacks
  • etc.

So yes, use a Load Balancer on the way in but don’t restrict outside access from the instances unless your security team dictates you to do so and you’re ready to deal with the extra operational and cost overhead (proxies, vpc endpoints, etc).

Hope that helps :)

Related

Ansible server can't ssh to CentOS 8 machine through -m ping
Server 2012 AD-DS Setup Fails (Microsoft.Directory.Services.Deployment.DeepTasks.DeepTasks not found)
How do I Turbo Boost in Macbook Pro
Can you prevent iMessage texts from being deleted?
Macintosh HD can't be opened because the original file can't be found
After installing Phyton3.6 , Terminal won't see it. Why? [duplicate]
How exactly is PATH calculated?
New powercord for MacBook
OS X 10.6: Applications crash when sounds play
Do MP3's encoded by iTunes contain my email address, and how can I remove it?
How do I assign a Razer DeathAdder Black Edition key to Mission Control?
Keyboard shortcuts for new window in Chrome or iTerm2