Understanding Amazon EC2 Security Groups and Firewalls
September 24, 2010 |
When launching an Amazon EC2 instance you need to specify its security group. The security group acts as a firewall allowing you to choose which protocols and ports are open to computers over the internet. You can choose to use the default security group and then customize it, or you can create your own security group. Configuring a security group can be done with code or using the .
If you choose to use the default security group, it will initially be configured as shown below:
The protocols to configure are TCP, UDP and ICMP. (ICMP is used for ping.) There is also a range of ports for each protocol. (ICMP uses no port, that is why the range is -1 to -1.) Lastly, the source allows you to open the protocols and ports to either a range of IP addresses or to members of some security group.
The default security group above may be a little confusing. It appears that everything is wide open. In fact everything is closed. The default group, by default, opens all ports and protocols only to computers that are members of the default group (if that makes any sense). Anyway, no computer across the Internet can access your EC2 instance at that point.
Most likely, you’ll need to open some protocols and ports to the outside world. There are a number of common services preconfigured in the Connection Method dropdown as shown below.
As an example, if you are configuring an EC2 instance to be a Web server, you’ll need to allow the HTTP and HTTPS protocols. When you select them from the list, and the security group would be altered as shown below.
The most important thing to note is the Source IP. When you specify “0.0.0.0/0” that really means your allowing every IP address access the specified protocol and port range. So in the example, TCP ports 80 and 443 are open to every computer on the Internet.
You might also want to allow services to manage the server, upload files and so on. For example, if I was configuring a Windows server I’d want to use Remote Desktop which would require me to enable RDP which uses TCP port 3389. However, I’d only want my IP address to have access to that protocol. It would be crazy to allow every computer in the world access to services like RDP, FTP, database services etc. See the screenshot below.
Now RDP is enabled on TCP port 3389, but only for the IP address 75.88.111.9. Note that after the IP address, you don’t specify “/0”. If you do, every computer in the world would have access to that port. To restrict access to a single address specify “/32” after the IP. (If you want to know why, read the following article: .)
You may also need to know what your public IP address is. Search Bing for “My IP address”, and a number of Web sites will come up that will tell you.
For an easy tool to test whether a port is open, try from Google.
To learn more about EC2 and cloud computing, enroll in a . are being added all the time, so check back often.
If you’re interested in .NET programming, visit the of this blog.
As cloud computing continues to make information technology headlines, vendors are aggressively promoting the many benefits it can provide organizations. Learning Tree’s White Paper, , addresses the claims and questions that are often raised in relation to cloud computing and provides a clear view of what the cloud can—and can’t—deliver in reality.
PS – Have a look at our brand new, 1-day online course – .
14 Comments
- on October 31, 2011 at 6:47am […] Amazon EC2 Security Groups for Elastic Beanstalk Published October 31, 2011 cloud computing Leave a Comment Tags: Amazon AWS Security Groups, Database Access from BeanStalk Amazon’s Elastic Beanstalk is an elegant Platform as a Service (PaaS) for Java application deployment. Anybody who has provisioned servers with the Elastic Compute Cloud (EC2) will be familiar with configuring security groups. A security group is like a firewall, and defines a set of permissions for accessing Amazon Web Services (AWS) resources. More details can be found here. […] on October 31, 2011 at 5:08pm […] Amazon’s Elastic Beanstalk is an elegant Platform as a Service (PaaS) for Java application deployment. Anybody who has provisioned servers with the Elastic Compute Cloud (EC2) will be familiar with configuring security groups. A security group is like a firewall, and defines a set of permissions for accessing Amazon Web Services (AWS) resources. More details can be foundhere. […] siva on December 23, 2011 at 10:46am Nice , but we want to more example picture’s and explanation………. and explain through simple ENGLISH more useful to all other people. on December 23, 2011 at 9:36pm Good suggestion Siva. I’ll try to write a more detailed article in the near future. Thanks! on January 24, 2012 at 8:50pm […] … Answered by cjc […] on February 10, 2012 at 12:04am I want to thank you for taking the time to provide such a clear, concise, and straightforward description on how Amazon Security Groups work. There are a lot of articles on the web that make this look daunting. You description and examples are right on target. Again, Thank You! Mainly Data » Using Paramiko to control an EC2 instance on April 19, 2012 at 8:52am […] “mySecGrp” is a Security Group I’ve previously setup via the AWS Management Console; ‘ami-3e9b4957′ is the AMI […] David on July 17, 2012 at 3:03am If you have multiple AWS accounts &/or regions and want to manage multiple security groups,you should check out a paper by Dome9 at . One of the things I like is the ability to close administrative ports via Security Groups, but then open them on demand. Although the article points to limiting the scope to an authorized IP address, closing it for all really locks down the EC2 Security Groups. Nik on August 28, 2012 at 6:01pm (if that makes any sense)? Yes, but no thanks to this article. Which is very helpful otherwise, thank you. on September 14, 2012 at 10:32am Over a year late, but for people with the same question who come across this, we do this by having an Apache host serve a page that executes a script which will add an IP to certain security groups. The IP it takes from the client’s IP and the security groups are currently hardcoded to keep things simple. The page itself is password protected, so you have to authenticate via LDAP / AD and have a valid account before your IP is added. These IPs are kept in a list and cleared at the end of the day. meizlik on September20, 2012 at 12:32pm Actually, an easier way is to use Dome9 (www.dome9.com). You can install their new iPhone/iPad app and when you click their Get Access button, it dynamically maps the IP address of you device and creates a rule in your EC2 Security Group to allow access (just for your IP) for a specified period of time (e.g., 60 minutes). Everything is driven via API, so there’s no Apache server or scripts to configure. Ashish on October 1, 2012 at 4:00pm Hi , I have installed jenkins on my amazon ec2 instance and it is up and running which by default listens on port 8080 I can verify it by netstat -anp | grep 8080 tcp6 0 0 :::8080 :::* LISTEN 10817/java I have also open port 8080 and 80 as per your blog and if I do curl -I localhost:8080 .I get the below mentioned response . HTTP/1.1 200 OK Server: Winstone Servlet Engine v0.9.10 Expires: 0 X-Hudson-Theme: default Content-Type: text/html;charset=UTF-8 X-Hudson: 1.395 X-Jenkins: 1.424.6 X-Hudson-CLI-Port: 52153 X-Jenkins-CLI-Port:52153 Connection: Close Date: Mon, 01 Oct 2012 19:57:56 GMT X-Powered-By: Servlet/2.5 (Winstone/0.9.10) Set-Cookie: JSESSIONID.0463af45=d82e3b5e083581a88ea9c0492cd384fa; Path=/ But still ,I can’t access jenkins from outside using http:ipaddress:8080/jenkins . Can you please tell me what I could be doing wrong. amunnamg on February 7, 2013 at 8:02pm Hi Ashish, I have similiar issue. i could access web server, but not application server(jboss). were you able to access your application server? Can you please let me know if you have worked around this. on February 8, 2013 at 1:28am […] connecting, first check that your Amazon EC2 Instance is accessible on port 3838 universally (see this site for more details). Also check the shiny-server is currently running on your […]