EC2 task networking on Windows: Implementation change for blocking IMDS #2910
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 2 commits
June 17, 2021 21:16
Instead of creating Windows Firewall rules, create a loopback route for IMDS inside the task namespace.
fenxiong
approved these changes
Jun 21, 2021
vsiddharth
approved these changes
Jun 21, 2021
angelcar
approved these changes
Jun 22, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Earlier, we were creating Windows Firewall rules for blocking the IMDS access to the tasks. With this change, instead of creating a firewall rule, we will create a blackhole route in the task namespace for IMDS.
Implementation details
The original methods of creating and deleting firewall rules have been removed.
In place of those, a new command is created to be run inside the task namespace which loops back the request sent to IMDS endpoint.
Testing
The changes were tested using unit tests as well as a custom binary was tested.
New tests cover the changes:
Yes
Description for the changelog
Changed implementation method for blocking IMDS access to the tasks.
Licensing
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.