How can I allow access to Jupyter Notebook running in browser on AWS EC2 to only a single IP address?

Question

I'm trying to allow only a single IP Address to access my jupyter notebook which is running in a browser on an ec2 instance.

I tried to set the inbound rules in my acl to allow all traffic from only my IP Address. Furthermore, I tried to do it with a security group. Which would be the more suitable option?

My final target is to grant access to a limited number of users from one of our smaller locations based on their IP addresses.

Thanks for your help!

Answer 1

The real answer is that it depends both on what your other infrastructure looks like, whether the additional users are given console/resource access privileges via IAM, how comfortable you are with the various security settings available, and how much time you're looking to spend managing access privileges.

The following table, pulled from the AWS VPC Security Docs, offers a direct comparison between the features of the two options you asked about, Security Groups and Network ACLs.

Using either a security group or network ACL will work, but I'd recommend using a security group because it sounds like your use-case is allowing access control on a resource-by-resource (instance level) basis, rather than a subnet level basis.

From the docs, to whitelist IP addresses for a security group, you'll need to add a rule to the security group that you have attached to the EC2 instance (or create and attach a new one):

To add a rule to a security group for inbound SSH traffic over IPv4 (console)

1. In the navigation pane of the Amazon EC2 console, choose Instances. Select your instance and look at the Description tab; Security groups lists the security groups that are associated with the instance. Choose view inbound rules to display a list of the rules that are in effect for the instance.

2. In the navigation pane, choose Security Groups. Select one of the security groups associated with your instance.

3. In the details pane, on the Inbound tab, choose Edit. In the dialog, choose Add Rule, and then choose SSH from the Type list.

4. In the Source field, choose My IP to automatically populate the field with the public IPv4 address of your local computer. Alternatively, choose Custom and specify the public IPv4 address of your computer or network in CIDR notation. For example, if your IPv4 address is 203.0.113.25, specify 203.0.113.25/32 to list this single IPv4 address in CIDR notation. If your company allocates addresses from a range, specify the entire range, such as 203.0.113.0/24.

For information about finding your IP address, see Before You Start.

5. Choose Save.

Lastly, if the sole purpose of your EC2 instance is to run a Jupyter Notebook, I suggest checking out SageMaker hosted Jupyter Notebooks, as they may be more convenient for what you're trying to do (easily access a cloud hosted Jupyter notebook, but without needing to SSH in from a terminal).