Table of Contents
Make sure only trusted users are granted the 'security_manager' user role permission.
Ability to manage network and firewall permissions that are used by instances in the cloud. You will need this permission in order to create security groups and define individual firewall rules within those security groups. You will also need this permission in order to create Virtual Private Clouds (VPCs) and subnets. Only trusted users should be granted this permission. You will also be able to view and generate Infrastructure Audit Reports.
Warning!
A user with this permission can affect firewall permissions of running instances. For example, any changes to an EC2 security group will instantly take effect on any running instances that are using that particular security group. For security reasons, you may want to create all of the required security groups and related firewall port permissions for each RightScale account beforehand so that the users who are configuring and launching servers in the account will already have the necessary network settings pre-configured and available for use. You may also find it useful to use Server Defaults to pre-select the desired security groups on a per cloud basis. See Should I set default configurations for servers?
Remember, you can also grant temporary access (by day) to a user and give them the 'security_manager' role if it's required for an initial setup but not for perpetuity.
Before you can properly answer this question you must first determine how you want to grant SSH (Linux) or RDP (Windows) access within a RightScale account. There are several factors to take into consideration before you determine how the security groups should be configured across your account.
If you do not want your users to create and/or modify their own security groups and related firewall permissions, someone will need to create the appropriate security groups for their use in advance.
Several different examples of how you can set up security groups in your account for granting remote SSH/RDP access are shown below. Each configuration has its own advantages and disadvantages, and requires varying degrees of maintenance depending on who has the ability to manage security groups within an account. If you're using multiple RightScale accounts for your organization it's also important to remember that each account is unique so you might not want to use the same security group configurations across all accounts. Determine what's the right balance between control and security for each account and set up your security group access controls accordingly.
(For Amazon EC2 only)
Any user with either 'admin' or 'security_manager' user role permissions can generate an infrastructure audit report to get a current snapshot of all firewall related permissions across all security groups* within a RightScale account.
* Currently, only EC2 security groups are evaluated at this time.
(For Amazon EC2 only)
Another great resource to getting a more visual representation of open ports across all security groups of a given cloud* is the Network Maps feature.
* Currently, only EC2 security groups are evaluated at this time.
Please refer back to the User and Account Management section.
If you are setting up your own private cloud infrastructure (e.g. VMware vSphere, OpenStack, or CloudStack) and want to manage it through RightScale's Cloud Management Platform, you will need to set up your network to allow the necessary communication between RightScale and your private cloud.
See About Firewalls.
© 2006-2014 RightScale, Inc. All rights reserved.
RightScale is a registered trademark of RightScale, Inc. All other products and services may be trademarks or servicemarks of their respective owners.