Note: Please go to docs.rightscale.com to access the current RightScale documentation set. Also, feel free to Chat with us!
Home > Guides > Dashboard Users Guide > Manage > Network Manager > Actions > Create a Single Security Group for a 3-Tier (Linux) Tutorial

Create a Single Security Group for a 3-Tier (Linux) Tutorial

Table of Contents

Table of Contents

Overview

If you are following one of the end-to-end tutorials (See Infinity and v13.5 LTS) and building a 3-tier deployment for demonstration purposes, create a single security group that you can use for all servers in the deployment. Once you are successful setting up a 3-tier deployment using a single security group, you can set up more secure firewall permissions that would be more realistic for production environments. See Configuring multiple Security Groups for a multi-tiered Deployment.

 

Note: These instructions only apply to UCP accounts (e.g. us-3.rightscale.com; essentially any hostname that doesn't start with the 'my' subdomain) with AWS or OpenStack-Juno clouds. If you are using GCE or CloudStack in a UCP account or are still using a Legacy account (e.g. my.rightscale.com), please see Create a Single Security Group for a 3-Tier (Linux) Tutorial.

Prerequisites

Steps

  1. Go to Manage > Networks.
  2. Security Groups are cloud/region-specific. Select the network for the desired cloud/region into which you are going to launch servers (with the security group you are about to create). If an existing network is not available for use, you must first create a network. See Create a Network
  3. Click the Security Groups tab.
  4. Click New Security Group. Provide the required information and click Save.

screen-New_Security_Group-v1.png

  • Name - Enter a name for the new Security Group. (e.g. my-3tier-demo)
  • Description (optional) - Provide a brief description about the security group.
  • Network - The name of the network that the security group will belong to.
  • Common ports (inbound) - Select any of the common ports for which you want to create firewall rules to allow ingress communication to instances launched with this security group. If a port is selected, a firewall rule will be created in the security group that will allow ingress communication from any IP address (0.0.0.0/0).
  1. Determine which additional firewall rules you need to create based upon the type of 3-Tier architecture you're going to build. See some of the examples below. Notice that some of the firewall rules use a more restrictive permission than 'any IP' (0.0.0.0/0) by adding the security group to itself. In the examples below, the security group is called '3tier'. 
    • HAProxy--PHP/Rails/Tomcat/Django--MySQL​
      • Inbound, TCP, 3306, group:3tier              (MySQL)
      • Inbound, TCP, 8000, group:3tier              (Web App)
      • Inbound, TCP, 22, 0.0.0.0/0 (any IP)        (SSH)
      • Inbound, TCP, 80, 0.0.0.0/0 (any IP)        (HTTP)
      • Inbound, TCP, 443, 0.0.0.0/0 (any IP)      (HTTPS) (Optional)
    • HAProxy--IIS--MS SQL
      • Inbound, TCP, 1433, group:3tier              (SQL)
      • Inbound, TCP, 5022, group:3tier              (SQL)
      • Inbound, TCP, 8000, group:3tier              (Web App)
      • Inbound, TCP, 22, 0.0.0.0/0 (any IP)        (SSH)
      • Inbound, TCP, 3389, 0.0.0.0/0 (any IP)    (RDP)
      • Inbound, TCP, 80, 0.0.0.0/0 (any IP)        (HTTP)
      • Inbound, TCP, 443, 0.0.0.0/0 (any IP)      (HTTPS) (Optional)
    • HAProxy--PHP/Rails/Tomcat/Django--PostgreSQL​
      • Inbound, TCP, 5432, group:3tier              (PostgreSQL)
      • Inbound, TCP, 8000, group:3tier              (Web App)
      • Inbound, TCP, 22, 0.0.0.0/0 (any IP)        (SSH)
      • Inbound, TCP, 80, 0.0.0.0/0 (any IP)        (HTTP)
      • Inbound, TCP, 443, 0.0.0.0/0 (any IP)      (HTTPS) (Optional)
    • ELB--PHP/Rails/Tomcat/Django--MySQL​
      • Inbound, TCP, 3306, group:3tier                                              (MySQL)
      • Inbound, TCP, 8000, group:amazon-elb/amazon-elb-sg           (Web App)
      • Inbound, TCP, 22, 0.0.0.0/0 (any IP)                                        (SSH)
    • ELB--IIS--MS SQL​
      • Inbound, TCP, 1433, group:3tier                                              (SQL)
      • Inbound, TCP, 5022, group:3tier                                              (SQL)
      • Inbound, TCP, 8000, group:amazon-elb/amazon-elb-sg           (Web App)
      • Inbound, TCP, 3389, 0.0.0.0/0 (any IP)                                    (RDP)
    • ELB--PHP/Rails/Tomcat/Django--PostgreSQL​
      • Inbound, TCP, 5432, group:3tier                                              (PostgreSQL)
      • Inbound, TCP, 8000, group:amazon-elb/amazon-elb-sg           (Web App)
      • Inbound, TCP, 22, 0.0.0.0/0 (any IP)                                        (SSH)
  2. Create any additional firewall rules, as necessary. Click New Rule. You can either create an IP-based or Group-based permission. You should have been able to select all of the required IP-based firewall rules when you created the security group. See the different example below to create all of the necessary firewall permissions for the 3-tier setup. 
     

Example: IP-based Permission

screen-New_Rule_IP-v1.png
  • Direction - The direction of the request, relative to the instance. Select Inbound.
  • Protocol - Select the protocol(s) for the firewall rule. 
  • Ports - Specify a single port or range of ports for the firewall rule. (For a single port, put the number in both fields.)
  • IP Range - Define the level of IP access using CIDR notation. For example, to allow any IP addresses (i.e. no IP restrictions), enter: 0.0.0.0/0. See CIDR Block Example for more detailed information.

 

Example: Group-based Permission

screen-New_Rule_Group-v1.png
  • Direction - The direction of the request, relative to the instance. Select Inbound.
  • Protocol - Select the "group" protocol(s) for the firewall rule. 
  • Ports - Specify a single port or range of ports for the firewall rule. (For a single port, put the number in both fields.)
  • Owner - Specify the cloud account number of the security group to which you're going to allow access. For this example, you're going to add the security group to itself so that instances that use this security group will be able to establish connections on the private network (via a private IP address). Click the My Account button to auto-fill the field with the cloud account associated with the RightScale account.
  • Group - Specify the name or ID of the security group for which you're creating the firewall rule. For a 3-tier example, enter the name of the security group itself. (e.g. my-3tier-demo)
    • OpenStack - You cannot use the security group name; you must specify the security group's Resource ID. 
   
  1. Verify that you've created all of the necessary firewall rules correctly.  The example screenshot below is a security group (called 'my-3tier-demo') that includes all of the required firewall rules for a basic 'HAProxy--PHP/Rails/Tomcat/Django--MySQL​' deployment.

screen-List_Rules-v1.png

  1. (Optional) If you want to perform a basic ping test of your your servers after they become operational, you'll need to create an additional rule.
screen-New_Rule_ICMP-v1.png
  • Direction - Select Inbound.
  • Protocol - Select ICMP-IP.
  • ICMP Type - Select 0 - Echo Reply.
  • ICMP Code - Select 0 - No Code.
  • IP Range - Enter 0.0.0.0/0  or click My IP to use your own device's own public IP address for testing purposes.
  1. Congratulations! You now have a basic security group that you can use for all servers in a basic 3-tier deployment. Later you will want to consider using multiple security groups for more granular access controls.
You must to post a comment.
Last modified
13:24, 11 Apr 2014

Tags

ucp

Classifications

This page has no classifications.

Announcements

None


© 2006-2014 RightScale, Inc. All rights reserved.
RightScale is a registered trademark of RightScale, Inc. All other products and services may be trademarks or servicemarks of their respective owners.