Merge pull request #176 from coroot/collapse_aws_services_external_ips

group connections to AWS services by FQDN instead of IPs

common/net.go

@@ -67,6 +67,10 @@ func IsIpPrivate(ip netaddr.IP) bool {
 	return false
 }
 
+func IsIpExternal(ip netaddr.IP) bool {
+	return !ip.IsLoopback() && !IsIpPrivate(ip)
+}
+
 type connectionFilter struct {
 	whitelist map[string]netaddr.IPPrefix
 }
@@ -196,11 +200,11 @@ func (dk DestinationKey) String() string {
 }
 
 var (
-	awsS3FQDN = regexp.MustCompile(`.+s3.*.amazonaws.com`)
+	awsServicesFQDN = regexp.MustCompile(`.+\.amazonaws\.com`)
 )
 
 func NewDestinationKey(dst, actualDst netaddr.IPPort, fqdn string) DestinationKey {
-	if awsS3FQDN.MatchString(fqdn) {
+	if IsIpExternal(actualDst.IP()) && awsServicesFQDN.MatchString(fqdn) {
 		return DestinationKey{
 			destination: HostPortWithEmptyIP(fqdn, dst.Port()),
 		}

common/net_test.go

@@ -27,16 +27,21 @@ func TestConnectionFilter(t *testing.T) {
 }
 
 func TestDestinationKey(t *testing.T) {
-	d := netaddr.IPPortFrom(netaddr.MustParseIP("10.10.10.10"), 443)
-	ad := netaddr.IPPortFrom(netaddr.MustParseIP("127.0.0.1"), 443)
+	d := netaddr.IPPortFrom(netaddr.MustParseIP("1.1.1.1"), 443)
+	ad := netaddr.IPPortFrom(netaddr.MustParseIP("2.2.2.2"), 443)
 
-	assert.Equal(t, "10.10.10.10:443 (127.0.0.1:443)", NewDestinationKey(d, ad, "").String())
+	assert.Equal(t, "1.1.1.1:443 (2.2.2.2:443)", NewDestinationKey(d, ad, "").String())
 
 	assert.Equal(t,
 		"aa.bb.s3.amazonaws.com:443 ()",
 		NewDestinationKey(d, ad, "aa.bb.s3.amazonaws.com").String(),
 	)
 
+	assert.Equal(t,
+		"dynamodb.us-east-2.amazonaws.com:443 ()",
+		NewDestinationKey(d, ad, "dynamodb.us-east-2.amazonaws.com").String(),
+	)
+
 	assert.Equal(t,
 		"amazonlinux-2-repos-us-east-1.s3.dualstack.us-east-1.amazonaws.com:443 ()",
 		NewDestinationKey(d, ad, "amazonlinux-2-repos-us-east-1.s3.dualstack.us-east-1.amazonaws.com").String(),