‹ Gareth Oakley

FQDN based Security Groups

Jun 07, 2020

If you’re used to setting up classic firewalls, you might be used to having the ability to allow ingress/egress not just from specific IP addresses or CIDR blocks but also from specific FQDNs (hostnames). Whilst there are caveats with these kinds of rules, it can be a useful ability to have - it’s easy to setup and ensure access to resources is kept up to date in instances where the IP address might change semi-frequently. You can’t define FQDN based security group rules in AWS - but there is a way to emulate it.

Normally a firewall provides FQDN based rules either by:

  • Making a reverse IP lookup for a PTR record when it encounters an IP address to check if it matches a specified FQDN
  • Frequently resolving the current IP addresses for a specified FQDN and caching the result to decide if access to IP addresses are allowed/denied

We can’t do the former using security groups (there isn’t a way to decide on the fly if a connection will be allowed), but we can do the latter and frequently update the rules in a security group to match the IP addresses associated with a FQDN. Put together - we can use Lambda triggered on a schedule by CloudWatch Events to:

  • Retrieve a list of security groups (with a tag describing the group should allow access for a specified FQDN)
  • For each group - resolve the specified FQDN
  • Update the rules for the security group - authorizing/revoking IP addresses as required

You’ll find the code I put together for this on Github. There are some caveats:

  • The IP addresses some FQDNs resolve to can change very frequently - trying to allow e.g. google.com won’t work for this reason
  • Currently the code doesn’t check the TTL - so if a client has resolved a FQDN with a long TTL and it changes the rule will block the old IP addresses.

To use - create a security group without any rules and specify the following tags:

  • security-group-fqdn:ingress - Specify a hostname to use for inbound requests
  • security-group-fqdn:egress - Specify a hostname to use for outbound requests
  • security-group-fqdn:from-port - Defaults to 443
  • security-group-fqdn:to-port - Defaults to 443
  • security-group-fqdn:protocol - Defaults to tcp

After a few minutes the security group rules will be automatically updated.