Configuring a security group : Amazon Web Services (AWS)
-Create is a new security group to control the inbound traffic access and provide the needed firewall security rules.
-First, let's think about what needs security groups.
~We have public traffic coming in to our load balancer, so we want to allow for that.
~Then, we have the load balancer sending traffic to our web instances, so we need to allow for this, but we should restrict this access to only traffic from the load balancer.
~Then, our web servers need to be able to connect to the database server, but, again, we only want to allow the connection from our web servers.
So, We are going to create two security groups to handle this.
~The first one, we're gonna use for the load balancer and this one is going to allow http traffic on port 80 in from everyone.
~Then,second one, we're gonna create another security group that's going to
~~Allow http traffic on port 80 but only from the ELB and
~~also we're gonna set it up to allow MySQL/TCP trafffic on port 3306 but only from the web servers.
To do this :
~Go back over to our main console, logging into the console, and since security groups are part of the EC2 service, go to EC2,
~Then from the left hand menu, click on "security groups." And, we see that Amazon has set us up with a default security group.
Any resources that require a security group, and if you don't happen to explicity choose one, the default one will be chosen for you.This default one has basically no permissions.
~We're gonna be setting up two security groups that handle our traffic needs. Leave the default there, and choose "create security group."
And the first one we're gonna be creating is for the load balancer. Here we see that it asks for a name, a description, and a VPC.
So, let's give it a name. The name will be load balancer.
We can give it a nice friendly description.
and This is going to allow http traffic on 80 in from the public.
And then it asks us about which VPC to launch this in scince it is new account we only have the VPC option.
And you need to know what types, protocols, port ranges, sources are, but can get small info from tool tips to remind yourself what these are.
~Now add a rule.
And we know that we want to allow = http traffic in TCP, the underlying protocol, and on port 80, and we want to allow this in from anywhere.
So, we specify anywhere as the source, and this IP range, basically, is open to the world.
~So, this is enough to set up our needed security group for the load balancer, so I'll click create. And there we have our new load balancer security group.
-Now, the next thing we're gonna do is create a new security group for our web tier. And In the web tier, we want to restrict http traffic on port 80 in from only the load balancer.
And the way that we need to specify the security Load balancer security group ID in the source when we set up that rule.
~Click create security group.
~Give this one a name. This one's for our web tier eg. web-tier
~Maybe a little description that says "Allow http, 80, in from ELB" any description that makes sense to you,
~Now set the inbound rules here
Start adding our rules.
~The first rule is we want to allow http traffic in on port 80 and instead of from anywhere, we want to restrict this to just the load balancer.
So, we want to write a custom IP and that custom IP is exactly the security group that I just created that our yet to be created load balancer is going to be using.So, I can create that.
Also know that the second rule we wanted to create was to allow MySQL traffic, in on 3306 which happens to be the default port for MySQL and we'd also want to restrict that just to the web tier.
However, I need to use the security group ID (currently creating one, web-tier group). So, I need to create this first and then I can go back in and add a security group ID that gets created when we do this.
The web tier one has this new security group ID, grab that go to inbound rules and edit the inbound rules and add mrule now that says let me do MySQL in the 3306 and I want to only allow those from the security group of web tier.
~And I can save that. So, now we have our two security groups set up, one for the web tier, one for the load balancer. That's allowing for the traffic that we talked about at the beginning of this section.
Next up, I'll create the needed load balancer and assign this newly created security group for it to use.
-Create is a new security group to control the inbound traffic access and provide the needed firewall security rules.
-First, let's think about what needs security groups.
~We have public traffic coming in to our load balancer, so we want to allow for that.
~Then, we have the load balancer sending traffic to our web instances, so we need to allow for this, but we should restrict this access to only traffic from the load balancer.
~Then, our web servers need to be able to connect to the database server, but, again, we only want to allow the connection from our web servers.
So, We are going to create two security groups to handle this.
~The first one, we're gonna use for the load balancer and this one is going to allow http traffic on port 80 in from everyone.
~Then,second one, we're gonna create another security group that's going to
~~Allow http traffic on port 80 but only from the ELB and
~~also we're gonna set it up to allow MySQL/TCP trafffic on port 3306 but only from the web servers.
To do this :
~Go back over to our main console, logging into the console, and since security groups are part of the EC2 service, go to EC2,
~Then from the left hand menu, click on "security groups." And, we see that Amazon has set us up with a default security group.
Any resources that require a security group, and if you don't happen to explicity choose one, the default one will be chosen for you.This default one has basically no permissions.
~We're gonna be setting up two security groups that handle our traffic needs. Leave the default there, and choose "create security group."
And the first one we're gonna be creating is for the load balancer. Here we see that it asks for a name, a description, and a VPC.
So, let's give it a name. The name will be load balancer.
We can give it a nice friendly description.
and This is going to allow http traffic on 80 in from the public.
And then it asks us about which VPC to launch this in scince it is new account we only have the VPC option.
And you need to know what types, protocols, port ranges, sources are, but can get small info from tool tips to remind yourself what these are.
~Now add a rule.
And we know that we want to allow = http traffic in TCP, the underlying protocol, and on port 80, and we want to allow this in from anywhere.
So, we specify anywhere as the source, and this IP range, basically, is open to the world.
~So, this is enough to set up our needed security group for the load balancer, so I'll click create. And there we have our new load balancer security group.
-Now, the next thing we're gonna do is create a new security group for our web tier. And In the web tier, we want to restrict http traffic on port 80 in from only the load balancer.
And the way that we need to specify the security Load balancer security group ID in the source when we set up that rule.
~Click create security group.
~Give this one a name. This one's for our web tier eg. web-tier
~Maybe a little description that says "Allow http, 80, in from ELB" any description that makes sense to you,
~Now set the inbound rules here
Start adding our rules.
~The first rule is we want to allow http traffic in on port 80 and instead of from anywhere, we want to restrict this to just the load balancer.
So, we want to write a custom IP and that custom IP is exactly the security group that I just created that our yet to be created load balancer is going to be using.So, I can create that.
Also know that the second rule we wanted to create was to allow MySQL traffic, in on 3306 which happens to be the default port for MySQL and we'd also want to restrict that just to the web tier.
However, I need to use the security group ID (currently creating one, web-tier group). So, I need to create this first and then I can go back in and add a security group ID that gets created when we do this.
The web tier one has this new security group ID, grab that go to inbound rules and edit the inbound rules and add mrule now that says let me do MySQL in the 3306 and I want to only allow those from the security group of web tier.
~And I can save that. So, now we have our two security groups set up, one for the web tier, one for the load balancer. That's allowing for the traffic that we talked about at the beginning of this section.
Next up, I'll create the needed load balancer and assign this newly created security group for it to use.
Comments
Post a Comment