Amazon Web Services|Blog|Firewall|How To|Networking

Amazon EC2 Security Groups

Amazon EC2 Security Groups

In this installment of our Scalable Solutions series, we are going to be reviewing one of the core components of EC2, the security group.  We have found that our customers find that the elasticity provided by security groups allows them to build more resilient solutions and expand them as performance dictates it, with consistent security policies.

In case you missed our previous articles you may want to go back and review these great resources.

Week 1 – Amazon Route 53 Basics

Week 2 – AWS Certificate Manager

Week 3 – AWS Systems Manager Parameter Store

Week 4 – AWS Application Load Balancer

If you are just looking to learn more about AWS and you are in the North Dallas area we sponsor the AWS User Group of North Dallas at our offices in McKinney, TX.  You can find this group on meetup.com.

Security Group Basics

Security groups are essentially a virtual firewall inside of your instance that controls ingress and egress traffic.

  1. By default, a security group doesn’t have any ingress rules and therefore doesn’t allow any inbound traffic, but has a default egress rule which allows all outbound traffic.
  2. You cannot specify deny rules.  The lack of an allow rule triggers the implicit deny.
  3. Security group rules are stateful.  This means that traffic that is allowed by a rule will have it return traffic allowed as well.
  4. Security group rules can allow traffic from another security group, or even its own security group.

Of course, in addition to Security Groups we can also leverage Network ACL’s to provide another level of security and traffic filtering.

Multiple AWS resource types can have a security group associated with it, such as EC2, RDS, ELB, but essentially anything with an Elastic Network Interface will have a security group.

In this example, we will be creating an ELB with some backend web servers.  We are going to enable the entire internet to access TCP 443 on the ELB, but from the ELB to the web servers we are only going to allow TCP 80.  This is called SSL termination, where we aren’t going to manage any SSL configuration on the web servers themselves since it gets terminated at the load balancer.  This lets us conserve CPU cycles on the web tier.

Create Security Group for Load Balancer

Firstly we need to add a security group, this one will be applied to the ELB, and will allow HTTPS inbound from the internet.  It will also be used to identify the traffic from the load balancer to the webserver security group.

PS&gt; aws ec2 create-security-group –group-name &quot;external – squirrelbox traffic&quot; –description &quot;allows external access to squirrelbox load balancers&quot; –vpc-id vpc-bfa608c4<br />

{<br />

&quot;GroupId&quot;: &quot;sg-8b9d27c1&quot;<br />

}

We will need to use the GroupId elsewhere, so please reserve this.

Allow HTTPS from Anywhere

Next let’s allow the HTTPS inbound from the internet.  Of course simply modify the command to accomplish specific protocols, ports and sources.

PS&gt; aws ec2 authorize-security-group-ingress –group-id sg-8b9d27c1 –protocol tcp –port 443 –cidr 0.0.0.0/0

At this point, we are ready to associate this security group with our ELB.  If you haven’t jumped ahead we should see gateway errors from the ELB if we try and hit the ELB.

Create Security Group for Web Servers

Next, let’s add a security group which we will associate with our web server instances.

PS&gt; aws ec2 create-security-group –group-name &quot;internal – squirrelbox traffic&quot; –description &quot;allows load balancers access to squirrelbox servers&quot; –vpc-id vpc-bfa608c4<br />

{<br />

&quot;GroupId&quot;: &quot;sg-78a51f32&quot;<br />

}

Now we need to create some rules.

Allow HTTP from Load Balancer Security Group

Here we are going to enable the load balancer to reach the web nodes on port 80.

PS&gt; aws ec2 authorize-security-group-ingress –group-id sg-78a51f32 –protocol tcp –port 80 –source-group sg-8b9d27c1

Notice the –source-group parameter, we can use this instead of specifying a CIDR address.  Now at this point, if your ELB, Web Server, and DNS setups are completed (out of the scope of this article) then you should be able to see your website.

At Entasis we assist our customers in building elastic and resilient solutions with performance on-demand.  If you need help making your cloud initiative a reality we would love to help.

News & Insights