Reputation: 819
Redshift Copy and Unload Security
I have my Redshift cluster sitting in a private subnet, which is completely locked down. I want to run COPY and UNLOAD commands in Redshift, which will interact with an S3 bucket. I get that I will want to use a VPC endpoint to attach the S3 bucket, but I see nothing in the documentation showing how to open the correct ports to the correct IP ranges to allow COPY and UNLOAD to happen, and the only way I could get it to work for now is to keep Inbound and Outbound Network ACLs and Security Groups wide open. I'm not comfortable running this in production, and there must be a better way to secure Redshift for these operations.
Any help is much appreciated!
Upvotes: 4
Views: 1058
Answers (3)
Reputation: 5860
Another possible cause for this is Enhanced VPC Routing https://docs.aws.amazon.com/redshift/latest/mgmt/enhanced-vpc-routing.html
If this is enabled, and your cluster doesn't have a public IP, and your VPC is locked down to outside traffic, then you will need to create a VPC Endpoint for S3 to keep all traffic internal to your VPC.
Ref: https://docs.aws.amazon.com/redshift/latest/mgmt/enhanced-vpc-working-with-endpoints.html
Upvotes: 1
Reputation: 270039
Security Groups are sufficient for protecting an Amazon Redshift cluster.
NACLs are notoriously difficult to configure on resources due to the way that systems communicate. For example, an Amazon EC2 instance can send a request to Redshift on port 5439. The packet includes a return address that has a randomly selected port on the EC2 instance where the response should be sent. This is the way that computers handle responses when they send multiple requests to a system.
The downside is that you do not know which port will be required to send back the response. This is why you are experiencing problems configuring your NACL.
Security Groups, however, are stateful and automatically allow outbound responses back to the port specified in the original request. Just think of them as intelligent NACLs.
Bottom line: Use Security Groups, not NACLs.
Upvotes: 1
Reputation: 11
Assuming that Redshift accesses S3 as a web service (like everything else does), then opening 443 outbound should be sufficient. Security groups don't block return traffic, so there's no need to leave inbound ports open (except 5439, of course, for specified sources).
But why are you concerned with blocking outbound traffic from Redshift? Normally you would only block outbound traffic if there was a concern that an uncontrolled program would run on a server. You may be over-thinking your network configuration.
Upvotes: 1
Related Questions
- Redshift copy command recursive scan
- Amazon RedShift Copy Command
- How to UNLOAD Redshift permissions?
- Unable to UNLOAD the information schema from Redshift to S3
- Redshift ROLLBACK for COPY
- UNLOAD Redshift: append
- Unload from Redshift to an S3 bucket of a box
- Amazon Redshift COPY command fails with following error
- Where to run the copy command for Amazon Redshift
- Copy error Amazon Redshift loading from S3