When creating a new cluster in AWS, Qovery assigns a security group to the EC2 instances that make up the Kubernetes cluster. There are several ports in this security group that can be hit from any source IP. This goes against our company’s security policies, so I was wondering if there was a way to lock these ports down or find out more information about what they serve and what other services need access to them. Thank you.
We’ve just released this week (but not yet announced) new cluster advanced settings to block or restrict the scope of databases. I’m pretty sure this is what you wanted to restrict. Please correct me if I’m wrong or if some rules are missing.
To achieve this, please find options in the cluster advanced settings:
Thank you for the response. I assumed that’s what the ports were for. I am still running into a couple of issues however.
Is there a way to identify which ports correspond to which database? i.e. I have a port 30357 that is reachable by any source IP. What database “deny_public_access” should I set in advanced settings? Is there documentation for which port goes to which database?
I actually set “deny_public_access” to True in advanced settings for all databases for my cluster, but nothing actually changed for the security group in AWS. It still says that those ports are still open to the public.
I know I can just change the settings in AWS, but I’d rather change the settings in Qovery if possible to make sure I don’t break anything. If the preferred course of action is to change the ports in AWS I can do that. Would Qovery overwrite those settings by chance? Not sure how that works.
We’re using the default database ports to make it simple
The ports between 30000-32767 are used by Kubernetes when a service is set (more info). It’s shouldn-t be a problem since it’s accessible only for NodePorts (so public access is requested). If it’s a problem, you can add Nat gateways in front of your cluster with the Static IP feature.
There are actually 2 separate issues here. First, I understand the database ports now. The reason it didn’t seem to update is that when you set “deny public access” to True, the allowed CIDRs are still 0.0.0.0/0 so I just needed to change those.
The second issue was the NodePorts which you answered in your second bullet.
I can understand it’s not cristal clear product side because it’s the advanced settings (will report to the product cc @a_carrano ) but from the documentation, it should better help you on how advanced settings work.