Blocking Public IP Address from EKS Cluster
Introduction
By default, the network access control list is configured to allow all traffic to flow in and out of the subnets with which it is associated. Currently in our evironment, the public subnets are associated with network ACL with the following default rules:
Inbound rules
| Rule # | Type | Protocol | Port range | Source | Allow/Deny |
|---|---|---|---|---|---|
| 100 | All IPv4 traffic | All | All | 0.0.0.0/0 | ALLOW |
| * | All IPv4 traffic | All | All | 0.0.0.0/0 | DENY |
Outbound rules
| Rule number | Type | Protocol | Port range | Destination | Allow/Deny |
|---|---|---|---|---|---|
| 100 | All traffic | All | All | 0.0.0.0/0 | Allow |
| * | All traffic | All | All | 0.0.0.0/0 | Deny |
The above default rules means all public traffic can hit resources sitting in the subnets, including the Network Load Balancer that serves traffic to the nodes on the cluster.
Adding deny rules to the public network ACL
If there is a requirement to block traffic from specific a public IP address(es) to be able to hit the cluster (for example in the event of a cyber attack from particular host), we can add deny rules to the public ACL.
The rules can be added by terraform updating the public-nacl-rules.tf. The file contains commented out placeholder resources to introduce ingress and egress deny rules.
Steps to add deny rules:
- Pull infrastructure repository
- Create a new branch
- Uncomment the placeholder code and update the
cidr_blockwith the IP address (or range) you want to block. - Merge into main
- Monitor traffic to the IP address in OpenSearch to ensure it stops. Use index
live_kuberbetes_ingress-*and filterlog_processed.remote_addr - Consider when to unblock. See SOC advice for unblocking.
N.B The rule_number needs to be less than 100 in order for the deny rule to take precedence over the default Allow All rule.
It should look like the following:
resource "aws_network_acl_rule" "deny_inbound_1" {
network_acl_id = module.vpc.public_network_acl_id
rule_number = 10
egress = false
protocol = "-1" # -1 means all protocols
rule_action = "deny"
cidr_block = "##.##.##.##/32"
from_port = 0
to_port = 0
}
resource "aws_network_acl_rule" "deny_outbound_1" {
network_acl_id = module.vpc.aws_network_acl.public[0].id
rule_number = 10
egress = true
protocol = "-1" # -1 means all protocols
rule_action = "deny"
cidr_block = "##.##.##.##/32"
from_port = 0
to_port = 0
}
- Raise a PR and merge. The infrastructure pipelines in Concourse will create the new ACL rules in the public network ACL. You can verify the rules have been created by viewing the public network ACL in the AWS console. It will look like the following:
Inbound rules
| Rule number | Type | Protocol | Port range | Source | Allow/Deny |
|---|---|---|---|---|---|
| 10 | All traffic | All | All | #.##.##.##/32 | Deny |
| 100 | All traffic | All | All | 0.0.0.0/0 | Allow |
| * | All traffic | All | All | 0.0.0.0/0 | Deny |
Outbound rules
| Rule number | Type | Protocol | Port range | Destination | Allow/Deny |
|---|---|---|---|---|---|
| 10 | All traffic | All | All | #.##.##.##/32 | Deny |
| 100 | All traffic | All | All | 0.0.0.0/0 | Allow |
| * | All traffic | All | All | 0.0.0.0/0 | Deny |