I want to create a security group for AWS Elasticache (Redis).
As far as i see, i have 2 options:
Either open a Custom TCP connection on port 6379, and define the IP addresses what can reach Redis as a source.
Or, what currently works: I Open the 6379 port to anywhere (so that my EC2 instance can connect to it), and secure the components before the EC2.
What is the best approach here?
In your instance it sounds like you should have a single inbound rule for the security group assigned to your ElastiCache Redis cluster. This rule for port 6379 should specify the security group assigned to your EC2 instance(s) in the "source" field.
By specifying the security group ID in the source field, instead of an IP address or IP range, you can easily scale-out your EC2 server cluster, or make modifications to your EC2 instance that might result in an IP address change, without needing to change the security group rules for your ElastiCache cluster.
Note that if you do continue using IP addresses in your security group, you need to use the Private IP of the EC2 server, not the Public IP.
Related
I am trying to understand this statement:
"You can reference AWS Security Groups from other Security Groups."
What exactly does this mean?
This is how I understood this. I created a security group and call it "SG-10" and attached it to an instance "EC2-10". The SG "SG-10" has allow port 443 defined inside it.
Now, I create a security group and call it "SG-20" and attached this to an instance "EC2-20". This also has port 443 allowed. Now, if I call "SG-10" inside "SG-20" does this mean that "EC2-10" will be able to connect to "EC2-20" on port 443.?
Regards,
Nik.
if I call "SG-10" inside "SG-20"
No, you can not call a security group, this does not make any sense.
If a security group A references security group B, it does mean that the instance to which the security group A is attached allows inbound or outbound traffic to another instance to which security group B is attached. But if you want to send traffic form instance with security group A to the instance with security group B, you have to use the IP or the DNS of the instance B.
Usually the reason why we would want to reference a security group instead of an IP, is that the IP might change over time or it is not exposed at all. A fairly common example is having an application load balancer (ALB) and a group of EC2 instances which allow traffic only from the ALB. The IP address of the ALB changes over time, so in order to be able to receive traffic from the ALB, we can reference the security group attached to it.
In we want to reference a security group from another security group, we have to edit the rules of the initial security group:
As an example of referencing security groups, imagine a 3-tier architecture:
A Load Balancer receiving traffic from the Internet and sending requests to an Amazon EC2 instance
An Amazon EC2 instance receiving requests from the Load Balancer and sending queries to an Amazon RDS database
An Amazon RDS database receiving requests from the EC2 instance
This would involve 3 security groups:
A security group on the Load Balancer (LB-SG) that allows incoming traffic on port 80/443.
A security group on the EC2 instance (App-SG) that allows incoming traffic on port 80 only from the load balancer. It does this by setting the source to LB-SG.
A security group on the RDS database (DB-SG) that allows incoming traffic on the relevant port (eg 3306) only from the EC2 instance. It does this by setting the source to App-SG.
All security groups allow All Outbound Traffic.
By referencing other security groups, resources can be added/removed without having to change the security groups. For example, another EC2 instance could be launched and assigned the App-SG security group. This new instance would then be able to communicate with the database since DB-SG allows incoming traffic from App-SG, without being tied to any specific IP addresses.
If a resource is associated with multiple security groups, then all rules apply to the resource. Security Groups only say what is 'Allowed'. They do not include 'Deny' rules.
In your SG-10/SG-20 example, you do not mention the source of the traffic, so it is not possible to answer your question. If you want EC2-20 to accept connections from EC2-10, then the SG-20 security group should allow connections with the Source set to SG-10.
As an aside, I should mention that Network ACLs should normally be left at their default "Allow All" settings unless there is a specific networking requirement (eg creating a DMZ).
I've been burned on this before by trying to connect to an EC2 instance's public address... sounds very similar to your setup. Please check this question: Source Security group isnt working as expected in aws. Actually. When you wire up the inbound rule so that the source is a security group, you must communicate through the source instance's private address.
2 questions on NLB in AWS
I have a requirement to use NLB in front of the EC2 which runs MYSQL. This EC2 is in private network. I just want to allow NLB to be accessed by some particular internet IP. If it's ALB, I can use security group to do this. However, without security group in NLB, how can I achieve this?
In this setup, I connect to NLB from my PC and reach to that MYSQL EC2. To make it success, I find that I have to allow 0.0.0.0/0 in the incoming rule of the EC2 security group instead of just putting my PC IP. I thought my PC IP should be brought to EC2 directly through NLB. Is it not true? I dont want to allow 0.0.0.0/0 in EC2 security group. Is there any better way?
Thanks!
The security group evaluations are performed by the instances security groups for the Network Load Balancer. You would need to add the IP addresses you would like to communicate with the NLB to your instances, as long as your instance is in a private subnet this will prevent any client directly interacting with the host.
Network Load Balancers do not have associated security groups. Therefore, the security groups for your targets must use IP addresses to allow traffic from the load balancer.
More information is available in the Register targets with your target group documentation.
The only way to block the traffic in your case is to have the IPs to which you want to allow access in the EC2 SG.
However you need to account for the fact that there is a difference on the IP address from which the request will come from and thus will be evaluated from the EC2 SG based on how you have configured the target group of the NLB and more specifically on whether you have set up the target type to be instance or ip, as there is a difference in the NLB behaviour.
If the target type is set to instance, the NLB will pass the traffic to your instance as is, and the EC2 SG will see your locap PC public IP address, and if there is a rule to allow it you will be able to connect
If the target type is set to ip, the NLB is doing an NAT, and the EC2 SG will actually see the private IP of the NLB as a source IP for the incoming traffic.
Take a look at the Source IP Preservation in the NLB Target Group documentation.
There is a similar discussion in this question.
I am working fine with my current ELB, but for security reasons i want to restrict connections by allowing just instances in the same security group, so i created an aditional security group just for mange only the ELB, i have no problem while i allow 0.0.0.0/0 to the 443 port, but when i remove the rule i am losing the connection, if i allow the public ip of the instance it will work, but i have several instances so it is not an option, i also tried allowing private CIDR (10.0.0.0/24) of the instances and it does not work, and i also tried allowing same security groups with not success
Thanks in advance
The setup should be:
A security group on the Amazon EC2 instances running your app (SG-App) that permits incoming traffic from the appropriate locations to access the app
A security group on the Load Balancer (SG-LB) that permits inbound connections on port 443 from SG-App
That is, SG-App is permitting inbound connections from any instances associated with SG-App. This is much better than allowing connections "from the same security group" because the instances need different settings to the ELB.
When the instances resolve the DNS Name associated with the Load Balancer, it should resolve to a private IP address (10.0). You can test this by connecting to one of the instances and trying to ping/lookup the ELB DNS Name and seeing what IP address it is using.
I have set an Amazon EC2 instance and an Amazon RDS instance. These two instances are both available.
I tried to connect to the RDS instance from my localhost, and I succeeded:
(I'm sorry about the picture's content is in Chinese, but the content in the red border means "success".)
In a word, when I used my localhost, I can connect to the RDS instance that I just set successfully.
But when I tried to use the EC2 instance to connect the same RDS instance with oracle sqldeveloper, I CANNOT EVEN CONNECT TO IT.
The error message is:
The Network Adapter could not establish the connection
How can I solve this issue?
Update:
My Security Group is:
The security groups match the AWS EC2 instance`s PRIVATE IP.
This answer is not necessarily a fix for your situation, but rather a recommendation about how to configure a security group.
Rather than using IP addresses within a security group, it is better to refer to another security group.
The configuration would be:
EC2-SG security group: Attach this to your EC2 instance. Allow access on desired ports (eg port 80).
RDS-SG security group: Attach this to your RDS instance. Allow access from EC2-SG- on desired port (eg port 3306).
This way, the RDS-SG will permit access from any EC2 instance associated with the EC2-SG security group. This will continue to work even if IP addresses change or additional EC2 instances are launched with the same EC2-SG.
I have deployed a nodejs application in AWS EC2 instance. It has API gateway with '/api/companies' endpoint. After starting my server I am able to cURL from the instance terminal and it returns the result correctly. But I am not able to make the request from my browser to the EC2 instance. I am not sure exactly how to modify the inbound rules to make this work
You might want to check out the Security Group Rules documentation, but the gist is:
Create a new Security Group in your VPC for your EC2 instance
In the Inbound rules, create a new rule
Set the Source to your IP address. (Optional, if you want to allow access from any IP address, enter 0.0.0.0/0 in the Source)
Set the Protocol to tcp, and set the Port to 80 or 443 depending on what your application uses
Edit your existing security group or add a new security group
Select the VPC the instance is running in. The attached image shows No VPC, but you have to select your VPC
For Source, you can choose My IP if you want to allow inbound traffic from your IP only or from Anywhere in the world