Managing AWS firewall via Security Groups

Opening up ports on your EC2 servers to other machines may not be so straight-forward. Here, I’ll walk you through how to do this, with special attention to how to open ports to other EC2 machines.

AWS provides a component called Security Groups. When you create an EC2 server, you are asked to create or select a security group. The security group manages your firewall rules; that is, it determines who can access the services on that machine.

Opening It Up to the World
Opening up a port to the world so anyone can access the service is fairly straight-forward. Just create a new inbound rule, specify the port, and then select Anywhere from the Source dropdown.
Suppose you were opening port 8888 to the world, it would look something like this:

This is just what you need when you have a website that you want to share with everyone.

Opening It Up Just To You
Now what if you have a database on that machine? That probably shouldn’t be given access to everyone and their mother.

In that case, you can specify your local development machine in the Source for those times when you need to log into the database remotely to check on the data.
Note the “/32” at the end of the IP address.

Ok, got it?

Opening It Up to Another EC2 Server
Now let’s get creative.
Suppose you have your database server on one machine and your webserver on another. Your webserver needs access to the database server, so how do we configure that?

One option is to just specify the Public IP of the EC2 server that you want to give access to. That’s just like before when you gave your local development machine access.

From the webserver machine, you would specify the Public IP of the database server to access it.

Opening It Up to Many EC2 Servers
Now let’s suppose you had a farm of webservers (because your website is the next Facebook and it’s getting millions of visits per second). Suppose you distribute the webservers on different machines but you want a single database machine remotely located as before.
What do we do now?

One option is to keep creating firewall rules for each of the webservers. But keeping track of each webservers IP and hand typing them in could be painful. And what if you fire them up and power them down on demand? Managing this list of IPs could become a nightmare.
Here’s what a small list might look like:

Good thing there’s another option.
AWS lets you specify the Security Group of the webservers, giving all machines configured with that security group access.
So now your firewall rules look like this:

But wait!!!
There’s one caveat. When you do this, your webservers must access the database server through a back alley. The webservers can’t use the database server’s Public IP or domain name. Instead, they must use the database servers’ Private IP.

Keep in mind that the Private IP’s can change when you stop and start a server. So make sure you update all machines if that happens.

Tagged , , ,

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: