AWS ElasticSearch: How to find the associated security group - aws-security-group

I am trying to find the security group of my Elasticsearch domain in AWS but from the Elasticsearch console, I can't find it. My ES domain is not inside a VPC but is exposed to the Web with some authentication.
What I want to do is to whitelist some IP addresses and block the rest and I wanted to implement it using the security group.

There is no security group but an access policy where you can whitelist IP addresses or ARNs. This can be done from the ElasticSearch console.

Related

Connecting subdomain to firebase

I am trying to use dynamic links for firebase using my custom domain link.
For the above purpose, I added the custom domain on firebase web hosting, and followed all the steps, but status is still showing as "Needs setup".
My main domain pointing to some other host, the sub domains pointing to some aws elastic ips, and now the newly created sub domain to firebase ips. The dns provider that i am using is cloudflare.
www.maindomain.com => webflow host
subdomain1.maindomain.com => aws elastic ip 1
subdomain2.maindomain.com => aws elastic ip 2
firebasesubdomain.maindomain.com => firebase ip records (A Records).
I cannot delete all the A records just to point to firebase, since the aws elastic ip's are my live servers serving my customers. So my question is keeping all of the above records intact is there a way to point my subdomain to firebase and transfer only the subdomain's ownership to firebase, where then i can easily create dynamic links for that domain as well?
When connecting a domain to Firebase Hosting, you must ensure your A records are pointing directly to the Firebase IP addresses. You can check this using e.g.:
dig firebasesubdomain.maindomain.com
If the Cloudflare proxy is turned on, Cloudflare will set the A records to their own IP addresses and Firebase Hosting will not be able to recognize the IPs. You should turn off the Cloudflare proxy, as Firebase Hosting is already serving content over a CDN and proxying will only introduce additional latency.

IP addresses / ranges required for Azure Search to index Cosmos DB

I have a Cosmos DB locked down to a vnet (and its subnets) and am looking to have this Cosmos DB be a data source for Azure Search.
When I attempt to configure it, it complains about being blocked by the firewall.
If I enabled "Accept connections from within public Azure datacenters" it still complains about being blocked by a firewall.
If I remove the "Accept connections from within public Azure datacenters
" setting and grant access to the following IP 13.76.208.129 it works.
Is it only 13.76.208.129 that is actually required for integration or is there a larger range I need to add into the firewall?
As mentioned in this documentation page:
If your search service has only one search unit (that is, one replica
and one partition), the IP address will change during routine service
restarts, invalidating an existing ACL with your search service's IP
address.
One way to avoid the subsequent connectivity error is to use more than
one replica and one partition in Azure Search. Doing so increases the
cost, but it also solves the IP address problem. In Azure Search, IP
addresses don't change when you have more than one search unit.

How to restrict AWS security group outbound rules

Usually we set AWS security group outbound as ALL since we may need to download/upgrade sth. from internet. using any port, from any IPs.
One concern is what if sb. who login EC2 tries to upload company's important data to his personal cloud storage?
If we can restrict AWS security group outbound, then this can be avoided.
I see some similar post about the concern on security group outbound setting. such as:
AWS Security Group for RDS - Outbound rules, but all the response said it is fine to set outbound as ALL, or just restrict to a few ports.
I still want to raise the question again. for example, how to resolve the above concern I have? and if we do not have solution, then is restricting port to 80/443 enough if we just want to upgrade/update OS and app, not anything else?

Setup VPN for database instance on Google Cloud SQL

I have a MySQL database instance on Google Cloud SQL. Currently it has over 10 authorized ip addresses since multiple teams are accessing it from various locations. I would like to know if I can setup a VPN to this database instance and authorize just this ip address, instead of 10 addresses.
If that's possible, I would also like to know how many user accounts I can create for one VPN. I could not understand the Google Cloud documentation about setting up VPN. Please provide links to websites/tutorials/documentation that can help me with setting up a VPN in Google Cloud Platform.
Thanks.
Using cloud VPN and authorize only its external IP will not work for two reasons:
1) You can not specify in cloud SQL a private network (for example, 10.x.x.x) as an authorized network. as documented here.
2) Packets will arrive to cloud SQL after decapsulation which means that Cloud SQL get them as they come from different source IPs.
If you want more secure connection without IP white-listing, maybe using cloud SQL proxy.

AWS SimpleDB: can I find out which IPs connect to it or which domains get queried the most?

We've been working on a collaborative project using AWS and in particular SimpleDB. Lately, our SDB cost have been going through the roof and we're trying to figure out what's going on. Is there any way to find out which IP addresses connect to it?
EDIT: If we can't find out which IPs are accessing SDB to get data from it, is it at least possible to determine how much each of our SDB domains get queried in terms of number of queries to a domain and/or the total amount of data getting pulled from a domain?
AWS IAM allows you to put condition on user's IP address using AWS IAM AWS-Wide Policy Keys. Here is the link - For Managing Users for Amazon SimpleDB using AWS IAM.
Here is the example to allow requests only if they come from certain IP address or range. source
Allow requests only if they come from a certain IP address or range
This policy is for an IAM group that all users in a company belong to. The policy denies access to all actions in the account unless the request comes from the IP range 192.0.2.0 to 192.0.2.255 or 203.0.113.0 to 203.0.113.255. (The policy assumes the IP addresses for the company are within the specified ranges.) A typical use is for Amazon VPC, where you might expect all your users' requests to originate from a particular IP address, and so you want to deny requests from any other address.
{
"Version": "2012-10-17",
"Statement":[{
"Effect":"Deny",
"Action":"*",
"Resource":"*",
"Condition":{
"NotIpAddress":{
"aws:SourceIp":["192.0.2.0/24", "203.0.113.0/24"]
}
}
}
]
}

Resources