Posts Tagged 'security groups'

Amazon EC2 Security Groups for Elastic Beanstalk

Amazon’s Elastic Beanstalk is an elegant Platform as a Service (PaaS) for Java application deployment. Anybody who has provisioned servers with the Elastic Compute Cloud (EC2) will be familiar with configuring security groups. A security group is like a firewall, and defines a set of permissions for accessing Amazon Web Services (AWS) resources. More details can be found here.

When deploying an application using Elastic Beanstalk, a security group is automatically created for you and it allows access from all IP addresses on port 80. In many cases applications will use a database that is hosted on Amazon’s Relational Database Service (RDS). When a database instance is configured, this also requires a security group to be configured. To enable access from the beanstalk hosted application an extra rule allowing access from the beanstalk application must be added. For administrating the database, a rule for your local machine based on your IP address is also added. This process is straightforward, it just requires an awareness of what needs to be done.

Amazon provide an incredible set of Infrastructure services with AWS. To use these services effectively and integrate them into a coherent whole requires a good knowledge of how they work individually and the role they should play in your systems. Acquiring this knowledge is not a trivial task, so to fast track this process Learning Tree have developed a four day course that provides hands-on experience of what is available, how it works and how you can best use it for your systems. If you are interested in, or considering using Amazon AWS, I think you will find the course invaluable. You can even attend from your office using the Anyware system. Details and a schedule can be found here.

Chris Czarnecki

Understanding Amazon EC2 Security Groups and Firewalls

When launching an Amazon EC2 instance you need to specify its security group.  The security group acts as a firewall allowing you to choose which protocols and ports are open to computers over the internet.  You can choose to use the default security group and then customize it, or you can create your own security group.  Configuring a security group can be done with code or using the Amazon EC2 management console.

If you choose to use the default security group, it will initially be configured as shown below:

The protocols to configure are TCP, UDP and ICMP.  (ICMP is used for ping.)  There is also a range of ports for each protocol.  (ICMP uses no port, that is why the range is -1 to -1.)  Lastly, the source allows you to open the protocols and ports to either a range of IP addresses or to members of some security group.

The default security group above may be a little confusing.  It appears that everything is wide open.  In fact everything is closed.  The default group, by default, opens all ports and protocols only to computers that are members of the default group (if that makes any sense).  Anyway, no computer across the Internet can access your EC2 instance at that point.

Most likely, you’ll need to open some protocols and ports to the outside world.  There are a number of common services preconfigured in the Connection Method dropdown as shown below.

As an example, if you are configuring an EC2 instance to be a Web server, you’ll need to allow the HTTP and HTTPS protocols.  When you select them from the list, and the security group would be altered as shown below.

The most important thing to note is the Source IP.  When you specify “0.0.0.0/0” that really means your allowing every IP address access the specified protocol and port range.  So in the example,  TCP ports 80 and 443 are open to every computer on the Internet.

You might also want to allow services to manage the server, upload files and so on.  For example, if I was configuring a Windows server I’d want to use Remote Desktop which would require me to enable RDP which uses TCP port 3389.  However, I’d only want my IP address to have access to that protocol.  It would be crazy to allow every computer in the world access to services like RDP, FTP, database services etc. See the screenshot below.

Now RDP is enabled on TCP port 3389, but only for the IP address 75.88.111.9.  Note that after the IP address, you don’t specify “/0”.  If you do, every computer in the world would have access to that port.  To restrict access to a single address specify “/32” after the IP.  (If you want to know why, read the following article: http://en.wikipedia.org/wiki/CIDR.)

You may also need to know what your public IP address is.  Search Bing for “My IP address”, and a number of Web sites will come up that will tell you.

For an easy tool to test whether a port is open, try paping from Google.

To learn more about EC2 and cloud computing, enroll in a Cloud Computing course. More courses are being added all the time, so check back often.

If you’re interested in .NET programming, visit Learning Tree’s .NET Programming Blog.

Doug Rehnstrom

As cloud computing continues to make information technology headlines, vendors are aggressively promoting the many benefits it can provide organizations.  Learning Tree’s White Paper, Cloud Computing Promises: Fact of Fiction, addresses the claims and questions that are often raised in relation to cloud computing and provides a clear view of what the cloud can—and can’t—deliver in reality.


Learning Tree Logo

Cloud Computing Training

Learning Tree offers over 210 IT training and Management courses, including Cloud Computing training.

Enter your e-mail address to follow this blog and receive notifications of new posts by e-mail.

Join 53 other followers

Follow Learning Tree on Twitter

Archives

Do you need a customized Cloud training solution delivered at your facility?

Last year Learning Tree held nearly 2,500 on-site training events worldwide. To find out more about hosting one at your location, click here for a free consultation.
Live, online training
.NET Blog

%d bloggers like this: