How to limit access to Amazon EC2 to IP ranges

Question

I have an Amazon EC2 instance that hosts different services (cassandra db, elasticsearch, rabbitmq, mysql...) used by several developers at different locations. Since these developers have dynamic IP addresses, and this EC2 instance is used only for development, I left inbound access to required ports opened to 0.0.0.0. I'm aware that this is absolutely not recommended, and I should limit access, but I don't want to change the rules every day as someone's IP address change.

However, I just got report from Amazon that my instance is used for DoS attack, so I would like to fix this.

My question is if it is possible to make a rule that will limit access to several ranges such as:

94.187.128.0 - 94.187.255.255

147.91.0.0 - 147.91.255.255

Answer 1

Definitely yes, because the ranges you meant aren't just ranges but match CIDR.

The range which cannot be expressed as CIDR won't be accepted:

You can use IPcalc or similar site to make it easier.

If it fits you, you can use port range like 2000-3000, or, better, use custom ports for the services. Then the range will be e.g. 2000-2001, and using port ranges you can fit one user into one rule.

Alternative, more secure but more difficult way: a web page, user connects there with proper security key. If the key is recognized then a script on the server adds rule to a group using the client's IP. Another script by cron deletes the rules older than X hours. To check it deeper you may want to look e.g. here: On apache side check Two-way SSL authentication, on AWS side check API and Command Overview