If I use EC2 Discovery Plugin do I necessarily give internet access to my instances?

Hi everyone!

I'm trying to configure tight security rules to my elasticsearch cluster
meaning that the network access rules must be exactly what is needed. Now
I've found that the EC2 Discovery plugin does a call to AWS
(ec2.us-east-1.amazonaws.com:443) and for that I would need to give
internet access to my elasticsearch instances.

That said, it means a big drawback for my security configuration because I
cannot tie the call to a fixed IP, neither to a fixed port and hence my
access rules would be wide open.

Can you please tell me how do you manage this security issue on AWS?

Thank you very much!

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/936cd83a-a080-4409-8e5d-0b10463abcbd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Hi David,
Indeed, the plugin makes AWS API calls ( ec2 describe instances) in order
to find candidates to cluster with. Unfortunately, if memory serves me
right, those are to external IPs...

Hint - tinyproxy with whitelist on your nat gw , and proper env
configuration so that the client side (java , in this case) is aware of the
proxy.

Cheers,
B
On 19/11/2014 10:01 am, "David Vasquez" davidvasquez09@gmail.com wrote:

Hi everyone!

I'm trying to configure tight security rules to my elasticsearch cluster
meaning that the network access rules must be exactly what is needed. Now
I've found that the EC2 Discovery plugin does a call to AWS (
ec2.us-east-1.amazonaws.com:443) and for that I would need to give
internet access to my elasticsearch instances.

That said, it means a big drawback for my security configuration because I
cannot tie the call to a fixed IP, neither to a fixed port and hence my
access rules would be wide open.

Can you please tell me how do you manage this security issue on AWS?

Thank you very much!

--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/936cd83a-a080-4409-8e5d-0b10463abcbd%40googlegroups.com
https://groups.google.com/d/msgid/elasticsearch/936cd83a-a080-4409-8e5d-0b10463abcbd%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/CACj2-4L5k7r0n4tv6aiLE_Q1LYTvmN5a0PjHprTLBX_jLhX8%3DQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

I have the same problem yesterday. What I did is make elastic IP and
associate it with your ec2 instance. In the sercuity group you need open
both private Ip and the elastic IP. try it.

On Wednesday, November 19, 2014 8:01:48 AM UTC-5, David Vasquez wrote:

Hi everyone!

I'm trying to configure tight security rules to my elasticsearch cluster
meaning that the network access rules must be exactly what is needed. Now
I've found that the EC2 Discovery plugin does a call to AWS (
ec2.us-east-1.amazonaws.com:443) and for that I would need to give
internet access to my elasticsearch instances.

That said, it means a big drawback for my security configuration because I
cannot tie the call to a fixed IP, neither to a fixed port and hence my
access rules would be wide open.

Can you please tell me how do you manage this security issue on AWS?

Thank you very much!

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/17504959-fd11-4b16-ab3f-640a083c1b19%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Yes..but this might not be an option if your instance is in a private
subnet...it also means handling all your IPS like this ( though in theory
you don't need internal IPs, security group id/name would do as well...) -
there r limits to how many rules you can add to a secgroup....

At the same time, adding eip would complicate the OP's apparent sec
requirements ...
On 20/11/2014 12:04 pm, wellszhane@xteros.com wrote:

I have the same problem yesterday. What I did is make elastic IP and
associate it with your ec2 instance. In the sercuity group you need open
both private Ip and the elastic IP. try it.

On Wednesday, November 19, 2014 8:01:48 AM UTC-5, David Vasquez wrote:

Hi everyone!

I'm trying to configure tight security rules to my elasticsearch cluster
meaning that the network access rules must be exactly what is needed. Now
I've found that the EC2 Discovery plugin does a call to AWS (
ec2.us-east-1.amazonaws.com:443) and for that I would need to give
internet access to my elasticsearch instances.

That said, it means a big drawback for my security configuration because
I cannot tie the call to a fixed IP, neither to a fixed port and hence my
access rules would be wide open.

Can you please tell me how do you manage this security issue on AWS?

Thank you very much!

--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/17504959-fd11-4b16-ab3f-640a083c1b19%40googlegroups.com
https://groups.google.com/d/msgid/elasticsearch/17504959-fd11-4b16-ab3f-640a083c1b19%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/CACj2-4%2BripJ%3DmDUgH8VbXMAvFEQwGAbqWSwwS-Nm0TEeyUpOtw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.