AWS Security Group

Questions and Answers
1

ISSUE

When creating a new cluster in AWS, Qovery assigns a security group to the EC2 instances that make up the Kubernetes cluster. There are several ports in this security group that can be hit from any source IP. This goes against our company’s security policies, so I was wondering if there was a way to lock these ports down or find out more information about what they serve and what other services need access to them. Thank you.

-Colin

2

Hi @colin ,

We’ve just released this week (but not yet announced) new cluster advanced settings to block or restrict the scope of databases. I’m pretty sure this is what you wanted to restrict. Please correct me if I’m wrong or if some rules are missing.

To achieve this, please find options in the cluster advanced settings:

I hope this will suit your needs.

Pierre

3

Hello Pierre,

Thank you for the response. I assumed that’s what the ports were for. I am still running into a couple of issues however.

  1. Is there a way to identify which ports correspond to which database? i.e. I have a port 30357 that is reachable by any source IP. What database “deny_public_access” should I set in advanced settings? Is there documentation for which port goes to which database?
  2. I actually set “deny_public_access” to True in advanced settings for all databases for my cluster, but nothing actually changed for the security group in AWS. It still says that those ports are still open to the public.

I know I can just change the settings in AWS, but I’d rather change the settings in Qovery if possible to make sure I don’t break anything. If the preferred course of action is to change the ports in AWS I can do that. Would Qovery overwrite those settings by chance? Not sure how that works.

-Colin

4

Hi Colin,

For databases:

  • We’re using the default database ports to make it simple
  • The ports between 30000-32767 are used by Kubernetes when a service is set (more info). It’s shouldn-t be a problem since it’s accessible only for NodePorts (so public access is requested). If it’s a problem, you can add Nat gateways in front of your cluster with the Static IP feature.
  • To disable access per DB kind, please have a look to cluster settings Cluster Advanced Settings | Docs | Qovery
  • If you updated the advanced settings and it’s not working, please redeploy the cluster. Rules are only applied after this is done.

We do not recommend updating AWS settings manually to avoid breaking changes (like your rules being automatically removed).

I hope it will help

Pierre

5

There are actually 2 separate issues here. First, I understand the database ports now. The reason it didn’t seem to update is that when you set “deny public access” to True, the allowed CIDRs are still 0.0.0.0/0 so I just needed to change those.

The second issue was the NodePorts which you answered in your second bullet.

Thank you.

6

I can understand it’s not cristal clear product side because it’s the advanced settings (will report to the product cc @a_carrano ) but from the documentation, it should better help you on how advanced settings work.

For example Cluster Advanced Settings | Docs | Qovery you can read:

List of allowed CIDRS. Valid only when database.mongodb.deny_public_access is set to true

Thanks for the report. Hope you got all your answers. Feel free to tell me if something is missing.

Pierre

1 Like
7

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.