6

I am using AWS and looking for any comments on best practices regarding permitting connections to my DB from specific IPs on the Internet. I could give the DB a public IP and just lock down the firewall to only allow connections from the specific IPs that need to connect.

I could probably also use a bastion host in the public subnet and allow the 3rd parties to connect directly to the DB through the bastion.

Any other thoughts or assessments of my proposed options would be greatly appreciated. (VPN is not an option here due to the connecting 3rd parties.)

jay-charles
  • 1,229
  • 1
  • 11
  • 15

1 Answers1

2

In general, if you lock down the requesting IPs, the DB authentication requests will never hit the DB, so you won't have to worry about a DOS attack on the DB directly. With AWS specifically, you have the ability to take advantage of a VPC. This is sort of like a VPN but instead you could provide the 3rd parties with their own server endpoint inside of your private cloud. This way the public internet is completely bypassed. If you can't do that, you could consider building an interface (web service or api) for your 3rd party access, without giving them "keys to the castle". And if you can't do that, I don't see any issues with locking down the IPs.

I'd recommend changing the connection port too, even with the firewall in place.

TTT
  • 9,212
  • 4
  • 20
  • 32
  • Good idea on connection port! Yes, this is in a VPC. I'm not totally sure what you mean by "provide 3rd parties with their own server endpoint inside of your private cloud." It would have to be in a public subnet with port opened to the source IPs of the third parties? Am I missing some feature when you say "server endpoint." How is the public Internet bypassed here? – jay-charles Aug 20 '15 at 01:08
  • I meant you could spin up a new instance inside of your VPC with the sole purpose of providing public internet access to your third parties. So that instance would be public to the internet and locked down with the firewall rules, and then you can give it specific access to the DB. Basically this new instance would act like your bastion host in the public subnet. Whether this helps you really depends on what the 3rd parties are going to do with the DB. Basically it's just another layer of protection that you can easily control. – TTT Aug 20 '15 at 15:05