Last active
September 27, 2024 17:49
-
-
Save dduvnjak/a0bf8032222fe2b4b30cbcc599c241f0 to your computer and use it in GitHub Desktop.
Add CloudFlare IP addresses to an EC2 Security Group using awscli
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# first we download the list of IP ranges from CloudFlare | |
wget https://www.cloudflare.com/ips-v4 | |
# set the security group ID | |
SG_ID="sg-00000000000000" | |
# iterate over the IP ranges in the downloaded file | |
# and allow access to ports 80 and 443 | |
while read p | |
do | |
aws ec2 authorize-security-group-ingress --group-id $SG_ID --ip-permissions IpProtocol=tcp,FromPort=80,ToPort=80,IpRanges="[{CidrIp=$p,Description='Cloudflare'}]" | |
aws ec2 authorize-security-group-ingress --group-id $SG_ID --ip-permissions IpProtocol=tcp,FromPort=443,ToPort=443,IpRanges="[{CidrIp=$p,Description='Cloudflare'}]" | |
done< ips-v4 | |
rm ips-v4 |
Thank you for the above script @Kcrong however it seems that the while loop is not reading the last ip address in that list so following this stackoverflow suggestion = https://stackoverflow.com/a/12916758 , ive used the for loop and added both port 80,443[for the cloudflare IPs] and also 22 but only for my IP
#! /bin/bash
SG_ID="";
# Delete all existing rules
aws ec2 revoke-security-group-ingress --group-id $SG_ID \
--ip-permissions \
"`aws ec2 describe-security-groups --output json --group-ids $SG_ID --query "SecurityGroups[0].IpPermissions"`"
# Adding ipv4
for p in $(< <(curl --fail --silent https://www.cloudflare.com/ips-v4));
do
aws ec2 authorize-security-group-ingress --group-id $SG_ID --ip-permissions IpProtocol=tcp,FromPort=80,ToPort=80,IpRanges="[{CidrIp=$p,Description='Cloudflare - updated by instance'}]"
aws ec2 authorize-security-group-ingress --group-id $SG_ID --ip-permissions IpProtocol=tcp,FromPort=443,ToPort=443,IpRanges="[{CidrIp=$p,Description='Cloudflare - updated by instance'}]"
echo "$p has been added"
done;
echo "IPv4 completed"
# Get my IP
my_ip=$(curl --fail --silent ifconfig.me);
echo "starting to add your IP for SSH";
aws ec2 authorize-security-group-ingress --group-id $SG_ID --ip-permissions IpProtocol=tcp,FromPort=22,ToPort=22,IpRanges="[{CidrIp=$my_ip/32,Description='Cloudflare - updated by instance'}]";
echo "your IP added for SSH";
Not sure if this is still being watched by anyone, but I found it extremely helpful and figured I'd update the chain with what I consider the final script for both ipv4 and ipv6:
#!/bin/bash
SG_ID="sg-00000000000000000"
aws ec2 revoke-security-group-ingress --group-id $SG_ID --ip-permissions "`aws ec2 describe-security-groups --output json --group-ids $SG_ID --query "SecurityGroups[0].IpPermissions"`"
# Adding ipv4
for p in $(curl --fail --silent https://www.cloudflare.com/ips-v4);
do
aws ec2 authorize-security-group-ingress --group-id $SG_ID --ip-permissions IpProtocol=tcp,FromPort=80,ToPort=80,IpRanges="[{CidrIp=$p,Description='Cloudflare IPv4 - updated by instance'}]"
aws ec2 authorize-security-group-ingress --group-id $SG_ID --ip-permissions IpProtocol=tcp,FromPort=443,ToPort=443,IpRanges="[{CidrIp=$p,Description='Cloudflare IPv4 - updated by instance'}]"
echo "$p has been added"
done
echo "IPv4 completed"
# Adding ipv6
for p in $(curl --fail --silent https://www.cloudflare.com/ips-v6);
do
aws ec2 authorize-security-group-ingress --group-id $SG_ID --ip-permissions IpProtocol=tcp,FromPort=80,ToPort=80,Ipv6Ranges="[{CidrIpv6=$p,Description='Cloudflare IPv6 - updated by instance'}]"
aws ec2 authorize-security-group-ingress --group-id $SG_ID --ip-permissions IpProtocol=tcp,FromPort=443,ToPort=443,Ipv6Ranges="[{CidrIpv6=$p,Description='Cloudflare IPv6 - updated by instance'}]"
echo "$p has been added"
done
echo "IPv6 completed"
The only thing I'm having trouble with is capturing "my IP", since I'm running this via cloudshell. Oh well, doesn't hurt to still manually do that once in awhile.
thanks 🙏
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
My two cents here.