Reputation: 51
AWS VPC - allow outbound traffic to AWS cloudwatch
I'm struggling with isolate my instance from internet - I'm doing it by configuring Security Groups. Now I have problem that my logs can't be send to CloudWatch so I want to allow outbound traffic to logs.us-west-2.amazonaws.com but I'm not sure how to do it. This question is similar to this one - the idea there was to add CloudWatch IP to outbound rules. This solution in my opinion is not ideal - we rely on single IP. Is there any better solution for this problem? I was thinking about adding rules for aws-ip-ranges but didn't find CloudWatch service there. Maybe someone of you know what range is for CloudWatch?
Upvotes: 1
Views: 1126
Answers (1)
Reputation: 238199
For private communication with CloudWatch (CW) Logs, the best choice would be to use VPC Interface Endpoints for CW Logs.
This way, entire traffic between your instance and CW Logs does not use internet and happens within AWS private network.
If you want to deny all internet traffic from your instance, place it in private subnet without route tables to NAT gateway. The access to the CW Logs will happen through the prviate interface endpoint.
Upvotes: 2
Related Questions
- Cloudwatch VPC interface endpoint times out
- Lambda function in VPC doesn't access to cloudwatch
- Add inbound rule to security group aws cdk
- How to whitelist VPC outbound traffic
- Use CloudWatch with VPC Endpoints (PrivateLink)
- AWS CloudWatch and EC2 Role + Policy
- Install Cloudwatch agent on EC2 in a private subnet
- How to add inbound rule to AWS security group with my default VPC?
- AWS VPC outbound traffic
- Deny all outbound traffic except cloudwatch on AWS