Auto update for EC2 security groups


Access to services on an Amazon Web Services EC2 instance is controlled by security groups. These allow you to have, say, port 80 available to anyone but have other ports only accessible from specific IP address(es). If the IP address supplied by your ISP is dynamic or, at least, not not static you can find yourself shutout of your own services until you’ve updated the EC2 security groups.

Updating groups is easy enough but with more than one it’s just a pain to have to do. And what have you missed while those services were inaccessible?

The utility documented (and source code provided) in this post solves the problem by checking your IP address periodically to update any security groups with a new IP address if a change is detected. It will also send you an email when changes are made or if internet connectivity fails.

Download

Download the source code

Configuring the utility

The utility is written using C#. Like all .NET programs, configuration information is supplied in a configuration file. Here’s an empty configuration file:

<?xml version="1.0"?>
<configuration>
	<appSettings>
		<add key="AWSAccessKey" value=""/>
		<add key="AWSSecretKey" value=""/>
		<!-- Enter the previous IP address here -->
		<add key="PreviousAddress" value="" />
		<!-- Enter the address of the mail server.
			  If not defined or empty no emails will be sent. -->
		<add key="MailServer" value=""/>
		<!-- Enter the address of the recipient(s) who are to receive notification emails.
			 If not defined or empty no emails will be sent. -->
		<add key="Recipient" value=""/>
		<!-- The url to find out the current IP address -->
		<add key="IPAddressCheck" value="" />
	</appSettings>
	<!-- Only relevant if .NET 4.0 is installed! -->
	<startup>
		<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0"/>
	</startup>
</configuration>

Most of these are obvious. PreviousAddress can be left blank. It will be used by the utility when it first checks your IP address. The reason for IPAddressCheck is covered in Checking the IP address below.

Checking the IP address

The utility discovers your external IP address (the one EC2 uses) by polling a nominated external web page you create. The page returns your current reported IP address (and only this) in the body of the response to a web request. Below is an example of a PHP script which will do the job:

<?php $_SERVER["REMOTE_HOST"]; ?>

Installing as a service

Obviously you want this utility to run all the time and so that you can, it is implemented as a Windows service. To install the utility as a service you will need to use the .NET InstallUtil. Normally this utility is available here:

1
2
c:\Windows\Microsoft.NET\Framework\v4.0.30319 or
c:\Windows\Microsoft.NET\Framework\v2.0.50727
c:\Windows\Microsoft.NET\Framework\v4.0.30319 or
c:\Windows\Microsoft.NET\Framework\v2.0.50727

Depending upon the version of the framework you use.

To start the utility use the command:

1
NET START AWSSGMonitor
NET START AWSSGMonitor

Or find the service with the name Update AWS Security Groups in the services applet.

Information and Links

Join the fray by commenting, tracking what others have to say, or linking to it from your blog.


Other Posts

Write a Comment

Take a moment to comment and tell us what you think. Some basic HTML is allowed for formatting.

Reader Comments

Be the first to leave a comment!