There is a scenario where we have a web application which is deployed on a public subnet in a vpc. This webapp is accessible from internet. As soon as the user tries to login to the webapp the app has the logic to initiate a request to a license server(which is located somewhere in Europe outside the AWS environment and needds internet to be reached) but the request times out. Checking nslookup and telnet on the aws server we noted that the port 443(HTTPS) seems to be not enabled. Please suggest what areas should be modified in this case to enable aws server webapp to send request to external license server and receive response considering (security best practices).
1 Answers
What you need to be looking at are the Security groups.
You will have a Security Group that allows traffic to your EC2 instance, however if that instance is calling the licence server, you will also need Security Group rules allowing that Outbound traffic.
I cannot advice you on best practice, that will depend on your industry and the compliance requirements that you have. However nothing that you can do to restrict who can get in and who cannot out will improve your securty posture.
Talk to your security team/ person. Clarify what traffic actually needs to get out.
90% of the time you should be able to resolve this with well designed Security Group rules.
– https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html
🙂
good luck
Hi Rusty, Thank you for the quick reply and sharing the security group related user guide url. Thanks & Regards, Chintan