In this video, Jeff Winesett demonstrates configuring security groups to control inbound and outbound network traffic to AWS resources.
- [Instructor] The next thing to create before launching a new instance is a security group to control the inbound traffic access and provide the needed firewall security rules. Security groups were introduced earlier in our chapter dedicated to keeping things secure. First, let's think about what needs security groups. We have public traffic coming into our load balancer, so I want to allow for that. Then I have the load balancer sending traffic to web instances, so we need to allow for that. But we should restrict this access to only traffic from the load balancer.
Then the web servers need to be able to connect to the database server. But, again, I only want the connection to be from the web servers, so I'm going to create three security groups to handle this. The first one for the load balancer, allowing HTTP and HTTPS traffic on ports 80 and 443 inbound from everywhere. The second one for the web tier, allowing HTTP traffic on port 80 only from the load balancer. And a third one for the database, allowing MySQL TCP traffic on port 3306, but only from the web servers.
So, let me get to the console, and I've already logged in as my Jeff user, and a security group is created from the EC2 service. So, I find EC2 again in the drop-down, click on that, go over to Security Groups under Network & Security in the left hand menu. Click on that and we see that there's already one security group that has been created automatically by Amazon as part of the default VPC that is created with every account. It's there to allow for quick resource usage without having to configure a custom VPC.
It's there for convenience, but I'm going to go ahead and create a new security group. Click Create Security Group. In this case, I'll give it a name. I'll start with the load balancer security group. Give it a description. It then asks us about which VPC to launch this into. The good news is is that the account has a default VPC that we can use when getting started.
So, I don't have to stop and configure our own VPC at this time. I'll be launching most everything into this default VPC as we proceed. Also notice, too, on most of the wizards that are available to you on the console as you're creating resources, they come with little information tool tips that you can hover over to get more information about every single thing that you're filling out. Since this is for the load balancer and we want to allow inbound traffic for HTTP and HTTPS, we can toggle right down here to the Inbound tab, and choose create rule.
In this case, I'll start with HTTP. Choose HTTP, Protocol's chosen for me, port 80 is right. From the source, I want to allow HTTP traffic in from anywhere, so this is correct for that. Additionally, I want to be able to allow HTTPS. TCP is once again fixed for me. The port range is correct, the 443, and I also want to allow that in from anywhere.
So, this looks good, and I'll click Create. And there we have our new load balancer security group. Now, the next thing we're going to do is create a new security group for our web tier. And has been mentioned, what I want to do for the web tier is I want to restrict HTTP traffic on port 80 in from only the load balancer. So, the way we're going to do that actually is specify the security group ID in the Source field, and, in this case, I want to specify the security group ID of the security group I just created for the load balancer right here.
Let me copy that information for now just to have and I'll show why in just a second. So, I'll create security group. I'll call this one web-tier and I'll give it a description, "traffic into and out of web servers." Again, we'll use the default VPC, and down here, in the Inbound tab, I can go ahead and create rule. In this case, I want to allow HTTP and, in the Source field, I want to specify the security group that I just created.
Now, normally I can just start typing in SG and I'll start to see a list of security groups available to me. Because we've just created the security group, it's not quite populated in Amazon's drop-down list, so sometimes these auto-suggestions take a little bit of time to populate. It doesn't matter, all I need to do is specify the specific security group, which I copied on the previous page. So, from there, I'll click Create, and now I have the web tier security group all created.
Okay, now that my web tier security group is in place, I have one more to go. I need to create one for the database tier. We're probably getting pretty good at this by now. Create Security Group, db-tier. "Traffic into the database", default VPC, I want to add a rule, and I definitely want to allow MySQL on port 3306 and I want to also restrict that to the security group that I just created for the web tier, and, as we can see, it's still not available in the drop-down yet.
So, I need to grab that information. Can I get that from back over here? It is, for the web tier, sg-02788e79. And create that. Okay, so now that I have these three security groups in place, one for the web tier, one for the load balancer, and one for the database tier, I can go ahead and create a new EC2 instance, so that's what I'm going to do next.
- Benefits of cloud services
- Making architectures scalable
- Examining cloud constraints
- Virtual servers, EC2, and Elastic IP
- Using the Amazon machine image
- Elastic load balancing
- Using CloudWatch for monitoring
- Security Models
- Elastic block storage
- S3, CloudFront, and Elastic Beanstalk
- Handling queues, workflows, and notifications
- Caching options and services
- Identity and access management
- Creating a custom server image
- Application deployment strategies
- Serverless architectures