Configuring Multiple Security Groups for a Multi-Tiered Deployment
Table of Contents
Overview
Using a single security group for a multiple-server, multi-tiered deployment may be convenient during the test and development phase of a project, but it is not recommended for production. This document discusses a possible implementation using multiple security groups for a typical three-tier deployment in the cloud. For example, consider a deployment with the following three tiers:
- Front-end load balancers
- Application servers (for example, a server array)
- Back-end database servers (master/slave)
Warning!
Changes to existing security groups already associated with running servers will take effect immediately for new connections. However, you cannot change the security groups assigned to a running server. You must terminate the server (or choose the Relaunch option and change its properties prior to launch) before adding or removing its security groups, as described in Assign Multiple Security Groups to a Server. To better understand the best practices for shutting down and starting up servers in your multi-tiered deployment, see Shutting Down a Multi-Tiered Deployment and Starting Up a Multi-Tiered Deployment.
The primary benefit of creating multiple security groups tailored to your specific deployment is increased security, particularly with regard to the application and database tiers, which generally should not be publicly accessible.
Linux
For Linux-based architectures, create the following security groups.
Note: The example screenshot above applies to a deployment using v12 and 13 ServerTemplates, where TCP 8000 is the application listener port. However, for v14 ServerTemplates, TCP 8080 is the application listener port. Be sure to configure your security group accordingly.
Create a security group for each tier, plus one that's dedicated for allowing SSH access. In the example above, each server should be configured to use two security groups. Each server will have the security group for SSH access and their tier-specific security group.
-
SSH access
- Open TCP port 22 for SSH access.
-
HAProxy Load Balancer Tier
- Open TCP port 80 to any IP to allow standard HTTP access.
- Open TCP port 443 to any IP for HTTPS access; required for SSL (optional).
- Enable ICMP if you want to ping the server (optional).
-
Application Tier
- v12 and v13
- Open TCP port 8000 to accept requests from servers launched with the HAProxy load balancers' security group (e.g. '3tier-lb'). Connections between the load balancers and application servers are made over the private network.
- v14
- Open TCP port 8080 to accept requests from servers launched with the HAProxy load balancers' security group (e.g. '3tier-windows-lb'). Connections between the load balancers and application servers are made over the private network.
- Open other application-specific ports, if applicable, such as a port used for administrative purposes or dedicated communications port.
- v12 and v13
-
Database Tier
- Open TCP port 3306 to accept requests from servers launched with the application servers' security group (e.g. '3tier-windows-app'). Connections between the application servers and the database server are made over the private network.
- Open TCP port 3306 to accept requests from servers launched with its own security group (e.g. '3tier-db'), which is used for data replication between the master and slave database servers. Connections between the database servers are made over the private network.
Windows
For Windows-based architectures, create the following security groups.
Note: The example screenshot above applies to a deployment using v12 ServerTemplates, where TCP 80 is the application listener port. However, for v13 ServerTemplates, TCP 8000 is the application listener port. Be sure to configure your security group accordingly.
Create a security group for each tier, plus one that's dedicated for allowing RDP access. In the example above, each server should be configured to use two security groups. Each server will have the security group for RDP access and their tier-specific security group.
-
Remote Desktop Connection (RDP access)
- Open TCP port 3389 for Remote Desktop Protocol (RDP) access.
-
HAProxy Load Balancer Tier
- Open TCP port 80 to any IP to allow standard HTTP access.
- Open TCP port 443 to any IP for HTTPS access; required for SSL (optional).
- Enable ICMP if you want to ping the server (optional).
-
Application Tier
- v12 LTS
- Open TCP port 80 to accept requests from servers launched with the HAProxy load balancers' security group (e.g. '3tier-windows-lb'). Connections between the load balancers and application servers are made over the private network.
- v13
- Open TCP port 8000 to accept requests from servers launched with the HAProxy load balancers' security group (e.g. '3tier-windows-lb'). Connections between the load balancers and application servers are made over the private network.
- Open other application-specific ports, if applicable, such as a port used for administrative purposes or dedicated communications port.
- v12 LTS
-
Database Tier
- Open TCP port 1433 to accept requests from servers launched with the application servers' security group (e.g. '3tier-windows-app'). Connections between the application servers and the database server are made over the private network.
- Open TCP port 5022 to accept requests from servers launched with its own security group (e.g. '3tier-windows-db'), which is used for mirroring between the principal and mirror database servers. Connections between the database servers are made over the private network.
- © Copyright 2015 RightScale Technical Support