Secure Ingress Filtering for EC2-based Training Clusters

Question

Pulumi · Accepted Answer

In AWS, securing ingress to EC2 instances as part of a training cluster involves several steps. We will create a Virtual Private Cloud (VPC) to isolate the training cluster from the public internet. Within this VPC, we can apply security measures such as Security Groups to control inbound traffic at the instance level and Network Access Control Lists (ACLs) to control traffic at the subnet level.

In this program, we will set up a VPC with a public and private subnet. The training cluster's EC2 instances will be placed within the private subnet, and we will create Security Group rules that allow specific ingress traffic necessary for our training purposes. So let's break down the steps:

1. **VPC Creation**: A VPC will be created to contain the training cluster's network.
2. **Subnets Setup**: A private subnet, which is not directly accessible from the public internet, will be configured to place the EC2 instances.
3. **Internet Gateway**: For internet access, an Internet Gateway will be attached to our VPC.
4. **Route Table Configuration**: We will set up a route table that routes traffic appropriately within the VPC and out to the internet. The private subnet will only allow egress traffic through a NAT Gateway for additional security.
5. **Security Groups**: We will define Ingress rules that specify accessible ports and IP ranges for secure access to the EC2 instances.
6. **EC2 Instances**: Instances of EC2 will be launched within the private subnet and associated with our security group.

Let's go through the Pulumi program in Python that achieves this setup:

```python
import pulumi
import pulumi_aws as aws

# Create a new VPC for our training cluster
vpc = aws.ec2.Vpc("trainingClusterVpc",
    cidr_block="10.0.0.0/16",
    enable_dns_support=True,
    enable_dns_hostnames=True,
    tags={"Name": "trainingClusterVpc"}
)

# Create an internet gateway for our VPC for outbound traffic
internet_gateway = aws.ec2.InternetGateway("vpcInternetGateway",
    vpc_id=vpc.id,
    tags={"Name": "vpcInternetGateway"}
)

# Create a public subnet
public_subnet = aws.ec2.Subnet("publicSubnet",
    vpc_id=vpc.id,
    cidr_block="10.0.1.0/24",
    map_public_ip_on_launch=True,
    tags={"Name": "publicSubnet"}
)

# Create a private subnet for our EC2 instances to keep them not directly accessible
private_subnet = aws.ec2.Subnet("privateSubnet",
    vpc_id=vpc.id,
    cidr_block="10.0.2.0/24",
    map_public_ip_on_launch=False,
    tags={"Name": "privateSubnet"}
)

# Create a route table for the public subnet
public_route_table = aws.ec2.RouteTable("publicRouteTable",
    vpc_id=vpc.id,
    routes=[
        aws.ec2.RouteTableRouteArgs(
            cidr_block="0.0.0.0/0",
            gateway_id=internet_gateway.id,
        ),
    ],
    tags={"Name": "publicRouteTable"}
)

# Associate the route table to the public subnet
route_table_association = aws.ec2.RouteTableAssociation("routeTableAssociation",
    subnet_id=public_subnet.id,
    route_table_id=public_route_table.id
)

# Create a security group that allows SSH access from the internet
security_group = aws.ec2.SecurityGroup("securityGroup",
    vpc_id=vpc.id,
    description="Allow SSH and specific training-related ports",
    ingress=[
        aws.ec2.SecurityGroupIngressArgs(
            protocol="tcp",
            from_port=22,   # SSH port
            to_port=22,
            cidr_blocks=["0.0.0.0/0"], # Adjust this to your IP range for restricted access
        ),
        # Further ingress rules can be added as required for training
    ],
    tags={"Name": "trainingClusterSecurityGroup"}
)

# Create an EC2 instance for training cluster
ec2_instance = aws.ec2.Instance("trainingInstance",
    instance_type="t2.micro",
    vpc_security_group_ids=[security_group.id],
    ami="ami-0c55b159cbfafe1f0",  # This is an example AMI, replace with a proper one
    subnet_id=private_subnet.id,
    key_name="training_key_pair",  # Replace with your key pair name
    # Additional configurations...
    tags={"Name": "trainingInstance"}
)

# Output the DNS of the EC2 instance
pulumi.export("instancePublicDns", ec2_instance.public_dns)
```

In this program, we have created a VPC and subnets suitable for a private training cluster, set up an Internet Gateway only for outbound traffic, and defined security group rules to secure SSH access. The training EC2 instances are running within a private subnet, which enhances security by not exposing them directly to the internet. Instead, access can be restricted to particular IP ranges and ports.

Do remember to replace the placeholders like `ami-0c55b159cbfafe1f0` and `training_key_pair` with actual values. Also, adjust the `cidr_blocks` in security group ingress rules according to your network requirements to restrict the access as needed.

The above script should be run within an AWS Pulumi project and Python environment with necessary access permissions set up. Make sure the AWS environment is configured with the appropriate credentials before running the program with `pulumi up`.