0

I have an EC2 instance behind CloudFlare and whilst utilising the flow log to ensure any traffic that isn't coming from CloudFlare is being blocked, I saw requests coming from an Amazon IP which is in the same subnet as my VPC public IP.

If I continue to block that IP, it makes the site unavailable. Once I allow it through, it works.

Can anyone shed any light as to why these requests from Amazon are happening? The EC2 instance is a web server which depends on an RDS instance, but the RDS IP is not the Amazon IP that is repeatedly connecting to my EC2 instance, so I am not sure it's that.

Is this just how AWS talks to my EC2?

Thanks Brad

Improve this question
1
  • Amazon IP which is in the same subnet as my VPC public IP. What does that actually mean, "in the same subnet?" Do you mean the first three octets are the same? (That puts it in the same /24, but to say the "same subnet" doesn't make sense since you have no way of seeing the actual subnetting). In what sense is this address "connecting to" your instance? Over HTTP? If so, what is in your application's logs? What requests does it make? Commented Jun 2, 2016 at 3:05

1 Answer 1

Reset to default
0

Too little info to answer, so just guess:

That IP is a health check, so if it cannot access the server it consider it unhealthy and send a note to ELB or CloudFront not to send users there.

Try to back-resolve that IP - perhaps it gives you an idea.

Improve this answer
2
  • Thank you. Not sure how much more info I could give. I have not provided the actual IPs because that would enable attackers to directly get to my EC2 instance. We have no health checks. The IP traces back to Amazon, as the initial question points out. Thanks for responding Putnik. Commented Jun 1, 2016 at 16:13
  • please post dig -x that.ip.add.ress Commented Jun 1, 2016 at 19:30

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.