- Newest
- Most votes
- Most comments
Hello.
Do you allow the port number your Flask app is listening on in your security group?
For example, if you set it to listen on HTTP port 80, you need to allow port 80 in the security group.
The same goes for SSH, port 22 must be allowed in the security group.
By the way, are you changing the settings for the correct security group?
For example, if you are using ALB, you need to change the settings in the ALB security group to allow HTTP.
Hello,
Absolutely, I can help you restrict access to your Dockerized Flask web server on the EC2 instance to only your device/network.
1.Find your public IP: Ensure you are using the correct public IP address. and find out your IP.
- Add a rule for HTTP (assuming your Flask application uses port 80):
2.Security Groups:
- SSH: Allow only your current IP (e.g., 123.45.67.89/32) on port 22.
- Flask (port 5000): Allow access from either:
- Your network subnet (if static IP, ask your network admin for CIDR).
- A bastion host (if dynamic IP, create another EC2 instance with SSH access only from your device). The Flask server allows access only from the bastion host's IP.
Hello Nithin,
Hope you are doing well
Yes, you can limit the Security Group to use only approved CIDR however you need to ensure the range is correctly added to Security Group. It seems its only working for you when its allowed to 0.0.0.0/0 hence I would suggest you to collect a quick Network Trace on the EC2 Instance to know the Source, Destination IP with required ports.
Based upon the traffic seen on the traces you can modify your Security Group.
For Network Trace you can Netsh command or any Network capture tools such as Wireshark.
Good to know : If a request comes into a web server in your VPC from a Windows 10 client on the internet, your network ACL must have an outbound rule to enable traffic destined for ports 49152-65535.
If an instance in your VPC is the client initiating a request, your network ACL must have an inbound rule to enable traffic destined for the ephemeral ports specific to the type of instance (Amazon Linux, Windows Server 2008, and so on).
In practice, to cover the different types of clients that might initiate traffic to public-facing instances in your VPC, you can open ephemeral ports 1024-65535. However, you can also add rules to the ACL to deny traffic on any malicious ports within that range. Ensure that you place the deny rules earlier in the table than the allow rules that open the wide range of ephemeral ports.
I hope I was able to answer your query :)
Reference links: Netsh Commands for Network Trace : https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj129382(v=ws.11) Working With Captured Packets : https://www.wireshark.org/docs/wsug_html_chunked/ChapterWork.html#ChWorkViewPacketsSection Ephemeral ports : https://docs.aws.amazon.com/vpc/latest/userguide/nacl-ephemeral-ports.html
Relevant content
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
Hi Riku, I am using host=0.0.0.0 in flask (in code, app.run(host=0.0.0.0) ). And in security group for the EC2 instance (I am not using alb) I have provided my network's ip address. And it is not working. Even for simple ssh to connect with the instance it is not working.
When using SSH using EC2 Instance Connect, you need to set the IP address of EC2 Instance Connect in the inbound rule of the security group. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-connect-prerequisites.html#ec2-instance-connect-setup-security-group
The IP address differs depending on the region you are using, so search for "EC2_INSTANCE_CONNECT" from the URL below and set the IP address of the region you are using in the inbound rule of the security group. https://ip-ranges.amazonaws.com/ip-ranges.json