To create a new EC2 security group (or groups) to use with servers added to a deployment.
Table of Contents
A security group defines which ports are open to allow incoming connections to a server. Security groups act as firewalls in the cloud. They are designed to control who can communicate (i.e., initiate communication) with a server. With the exception of Amazon Virtual Private Cloud (VPC) security groups, discussed under VPCs, EC2 security groups only affect ingress (incoming) communications and do not prevent a server from initiating outbound communications.
The default security group in each AWS region (automatically created for your account by Amazon) does not allow any incoming connections. Therefore, you will need to create a new security group to use with your production servers. Security groups give you flexible options for restricting access to servers. For example, you can limit server access to a specific IP address and port (though you cannot block a specific IP address). To learn about different ways to use security groups for various architectural scenarios, see EC2 Security Groups.
Amazon security groups are also AWS region specific; for example, you cannot use a security group that you created in "US-East" to secure a server in "US-West." You can assign multiple security groups to a server. Permissions defined in a security group are additive in nature; so, if a server has two security groups where one group has port 80 open and the other group has port 80 closed, port 80 will be open (not closed) on the server.
Warning: Although you cannot change which security groups are used by a server after launching that server, you can modify the server's associated security groups. This immediately affects all running servers using those security groups. For example, if you launched a server with a security group which initially only had port 22 open, and later opened port 80 for this same security group, the running server inherits those changes immediately, meaning that port 80 is now open on that server. To prevent unexpected changes to a server's ingress communication permissions, you should only grant trusted users the "security_manager" role, and consider creating separate security groups for each project or deployment in your cloud architecture.
The following tutorial assumes you are creating a security group for use in the Amazon US-East region. However, the functionality is identical for other AWS regions.
The following steps explain how to create a generic security group to be used by all servers in a typical three-tier deployment.
For information about more advanced configurations, see EC2 Security Groups. To build a more robust deployment architecture that utilizes multiple security groups, see Configure Multiple Security Groups for a Multi-Tiered Deployment.
1. In the RightScale Dashboard, go to Clouds > AWS Region > Security Groups. There is already an initial default user group listed. In the following steps, you will create an additional, customized security group for your production deployment.
2. Click New.
3. Name the group "production" and add a brief description.
Note: You cannot change a security group's description after creating it.
4. Click Create.
After completing the steps in the previous section, you now have a security group with no open ports. Next, you must open up the necessary ports to allow communication among servers in your deployment and define who can initiate communication with those servers.
To open a single port for all servers in a security group, you must select an IP protocol (i.e., TCP, UDP, or ICMP) and a port or range of ports, and use CIDR notation to define the permissions.
For your generic example security group, open the following protocols and ports:
Warning: If you will use your security group with Microsoft Windows servers, ensure that you open port 3389 for Windows Remote Desktop Connection sessions as well.
Since you will use the same generic security group for all servers in your deployment in this sample exercise, you must explicitly add the security group to itself, so each server in the group can communicate with all other servers in the group, across any port, via any protocol, over their private IP addresses. Do this by selecting the "group" option from the drop-down list in your new permission definition, as shown below.
You must add security-group permissions for each protocol (TCP, UDP, and ICMP) separately. Use a port range of 0 to 65535 for TCP (shown above) and UDP to allow protocol access over all ports. Use a "Type" and "Code" value of -1 for ICMP to enable all ICMP types and code values.
The "Owner" field automatically defaults to the AWS account ID associated with your RightScale Dashboard account; however, you must manually enter the security group name in the "Group" field as shown above.
Warning: While it is useful to allow internal communications among all servers in a security group via any port during the testing and development phases, in a production environment, you will probably want to restrict communications to specific, select ports only.
Assuming you followed all the previous steps, you should now have the below permissions defined for your "production" security group.
When experiencing communications issues with servers in a deployment, you may need to troubleshoot your security group settings. The following is a list of common issues often associated with the setup and configuration of security groups.
© 2006-2014 RightScale, Inc. All rights reserved.
RightScale is a registered trademark of RightScale, Inc. All other products and services may be trademarks or servicemarks of their respective owners.