How to update security group rules and WAF rules with dynamic ip address

Hi, need some advice here. We switched our broadband service provider and the subscription plan. The new plan does not provide a fixed ip address. In the past, we used the fixed ip address as the source in our inbound rule of some security groups to allow traffic from our office. But now, the office ip address keeps changing. How can I manage the inbound rules automatically when the ip address changes on the router side?

Topics

Security, Identity, & Compliance Networking & Content Delivery

Tags

AWS WAF Amazon VPC Amazon Route 53 Security Group

Language

English

blacktulip12

asked a month ago463 views

2 Answers

Newest
Most votes
Most comments

Accepted Answer

You could create a Lambda function to update the security group(s) for you - but how will you know when the IP address changes?

Putting my "how would I hack this together" hat on:

If there is a DNS record which you could look up and it provides the IP address: Trigger the Lambda function every 'x' minutes using an EventBridge rule; if the IP address is different to the one in the security group then update it. Not the most efficient way but it would work.

If you have some compute device on premises I would have it check to see that the external/public IP address is - it is has changed then that device could (with the right permissions) update the security group directly; or it could trigger the Lambda function via API Gateway or a Lambda function URL.

So it comes down to: How do you know when the IP address changes?

EXPERT

Brettski-AWS

answered a month ago

EXPERT

Oleksii Bebych

reviewed a month ago

Hello.

How about using AWS ClientVPN and NAT Gateway to set a fixed IP as introduced in the AWS blog below?
Although costs such as NAT Gateway will be incurred, there is no need to introduce a mechanism to update security group inbound rules to dynamic IP addresses.
https://aws.amazon.com/jp/blogs/networking-and-content-delivery/using-aws-client-vpn-to-scale-your-work-from-home-capacity/

EXPERT

Riku_Kobayashi

answered a month ago

EXPERT

Oleksii Bebych

reviewed a month ago

blacktulip12
a month ago
ClientVPN and NAT are both expensive. Will adopt the solution proposed by Brettski above. Thanks.

Relevant content

AWS WAF Rate-Based Rule - How to permanently block offending IP addresses?
Adrian-Keith
asked 2 months ago
How do I make a "security group" firewall reference the dynamic address of a client site
AWS-User-4644975
asked 8 months ago
EFS volumes in manual backup plan does not satisfy Security Hub EFS.2 rule
gagf01
asked a year ago
How do I allow a dynamic IP address from a provider or partner when using the anonymous IP list in AWS WAF?
Sreyny
asked a year ago
How do I unblock my IP address that an Amazon IP reputation list rule group or Anonymous list rule group blocked in AWS WAF?
AWS OFFICIALUpdated a month ago
How do I use AWS WAF to create IP set rules to restrict IPv4 and IPv6 access?
AWS OFFICIALUpdated a month ago
How can I copy rules from an existing security group to a new security group?
AWS OFFICIALUpdated 11 days ago
Why does my AWS WAF custom rule not work?
AWS OFFICIALUpdated 2 months ago
How to use AWS WAF labels to fine tune webACL?
EXPERT
Lei Pei
published a month ago
Optimizing your costs with Savings Plans recommendations and alerts
AWS OFFICIALUpdated 4 days ago