FQDN based Security Groups
Jun 07, 2020
If you’re used to setting up classic firewalls, you might be used to having the ability to allow ingress/egress not just from specific IP addresses or CIDR blocks but also from specific FQDNs (hostnames). Whilst there are caveats with these kinds of rules, it can be a useful ability to have - it’s easy to setup and ensure access to resources is kept up to date in instances where the IP address might change semi-frequently. You can’t define FQDN based security group rules in AWS - but there is a way to emulate it.
Normally a firewall provides FQDN based rules either by:
- Making a reverse IP lookup for a PTR record when it encounters an IP address to check if it matches a specified FQDN
- Frequently resolving the current IP addresses for a specified FQDN and caching the result to decide if access to IP addresses are allowed/denied
We can’t do the former using security groups (there isn’t a way to decide on the fly if a connection will be allowed), but we can do the latter and frequently update the rules in a security group to match the IP addresses associated with a FQDN. Put together - we can use Lambda triggered on a schedule by CloudWatch Events to:
- Retrieve a list of security groups (with a tag describing the group should allow access for a specified FQDN)
- For each group - resolve the specified FQDN
- Update the rules for the security group - authorizing/revoking IP addresses as required
You’ll find the code I put together for this on Github. There are some caveats:
- The IP addresses some FQDNs resolve to can change very frequently - trying to
google.comwon’t work for this reason
- Currently the code doesn’t check the TTL - so if a client has resolved a FQDN with a long TTL and it changes the rule will block the old IP addresses.
To use - create a security group without any rules and specify the following tags:
security-group-fqdn:ingress- Specify a hostname to use for inbound requests
security-group-fqdn:egress- Specify a hostname to use for outbound requests
security-group-fqdn:from-port- Defaults to 443
security-group-fqdn:to-port- Defaults to 443
security-group-fqdn:protocol- Defaults to tcp
After a few minutes the security group rules will be automatically updated.