Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Limiting External Access to AWS SQL Server Instance

Tags:

node.js

sql-server

amazon-web-services

firebase

serverless

I have a SQL Server instance on AWS that I have opened to external access by altering my security group to allow access from “Everywhere".

+-------------+----------+------------+--------------------------+
|    Type     | Protocol | Port Range |         Source           |   
+-------------+----------+------------+--------------------------+
|    MSSQL    | TCP      |    1433    | Custom  0.0.0.0/0        |
|    MSSQL    | TCP      |    1433    | Custom  ::/0             | †
+-------------+----------+------------+--------------------------+

I would like to restrict this access to this database, though not via IP addresses since the service I will use to access it has no static IP.

How can I tighten inbound access to this database for use with an external service (eg Firebase function or NodeJS application)?

† AWS security group rule that is generated when "Everywhere" and "MSSQL" are selected in the Security Group inbound rules section

like image 900
1252748 Avatar asked Dec 25 '19 01:12

1252748

3 Answers

AFAIK, there is no direct way to achieve this without knowing the static IP or the IP range from where you need to access your EC2 instance (Where you host your SQL Server).

But...

You can include your instance behind an API Gateway and then enable IAM authentication for the API method in the API Gateway. Then use IAM policies (along with resource policies) to designate permissions for your API's users.

More: https://aws.amazon.com/premiumsupport/knowledge-center/iam-authentication-api-gateway/

like image 147
Mouneer Avatar answered Oct 13 '22 00:10

Mouneer

There is no direct way to restrict.

AWS Cloud - solution (all services / instance in AWS)

If your NodeJS application is running on AWS or you are using AWS Lambda service you can allow access across security groups alone within same VPC. (If multiple accounts used - VPC peering can be done)

like image 45
Santhosh S Avatar answered Oct 13 '22 00:10

Santhosh S

For your scenario where you would like to restrict access to a publicly accessible database, like everyone else said, I couldn't think of a way other than the plain old VPN solution. You client connects to the database through the VPN and move the database instance to private subnets. But i am not sure how feasible it is for you to implement it.

like image 30
Arun Kamalanathan Avatar answered Oct 12 '22 23:10

Arun Kamalanathan
Sign in to Comment

Related questions

Running a script inside package.json under node_modules?
How to add params with GET request using nock.js
How to silence the detailed output logs of `npm install` command?
Node.js Google Drive api Download file error
Use amazon s3 with electron-builder's auto updater [closed]
Iterating over an array of objects, summing values with the same index, and returning a new array of objects
how to resize Base64 image in javascript
How to open links in default browser using Electron
How to send several arguments with ipcRenderer
How to set up Typegoose
Setup a single project for Node/Express/Typescript and Angular
Is it possible to use a newer version of the aws-sdk than provided in AWS Lambda?
Intercept function calls in javascript
There is no intellisense in vs code node js
Got TypeError: Cannot read property 'passes' of undefined using Cypress when generating mochawesome report
swagger-Unrecognized response type; displaying content as text
How to fix "TypeError: Right-hand side of 'instanceof' is not callable" when I use another module class?
How to fix 'TypeError: Failed to fetch'?
How to trigger application shutdown from a service in Nest.js?
Apollo GraphQL keeps receiving requests with no queries or mutations being made

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!