I will be having Redis in a master-slave configuration where each Redis node is in a separate EC2 instance. Since each Redis slave will need to communicate with the master, I need to add the Redis' own security group ID as a source. However, I'm unsure as to what protocol Redis will be using. Should I set up the Security group rule as a Custom TCP with select access to ports, or should it just be the "All TCP" rule?
A custom tcp rule on port 6379 and the security group as source is enough
Related
I need to get the IP numbers that are connecting to the EC2 instance then add them to AWS security group as a security group rule. So only those machines will have the permission to connect to instance. I don't need the port number that they're connecting to instance.
I installed iptraf-ng but app is very slow on the instance. Any other suggestions to capture the connecting IP's to instance so I can add them faster to security group rule?
You can use VPC Flow logs to monitor the traffic to the VPC (which will include the traffic that is going to the EC2 instance).
I am trying to connect my app, running on one EC2 instance, to MongoDB, running on another EC2 instance. I'm pretty sure the problem is in the security settings, but I'm not quite sure how to handle that.
First off, my app's instance is in an autoscaling group that sits behind an ELB. The inbound security settings for the instance and ELB allow access to port 80 from anywhere, as well as all traffic from its own security group.
The EC2 instance that runs Mongo is able to take connections if the security group for that instance accepts all inbound traffic from anywhere. Any other configuration that I've tried causes the app to say that it cannot make a connection with the remote address. I've set rules to accept inbound traffic from all security groups that I have, but it only seems to work when I allow all traffic from anywhere.
Also, my db instance is set up with an elastic ip. Should I have this instance behind an ELB as well?
So my questions are these:
1) How can I securely make connections to my EC2 instance running mongo?
2) In terms of architecture, does it make sense to run my database this way, or should I have this behind a load balancer as well?
This issue is tripping me up a lot more than I thought it would, so any help would be appreciated.
NOTE
I have also set the bind_ip=0.0.0.0 in /etc/mongo.conf
Your issue is that you are using the public elastic IP to connect to your database server from your other servers. This means that the connection is going out to the internet and back into your VPC, which presents the following issues:
Security issues due to the data transmission not being contained within your VPC
Network latency issues
Your database server's security group can't identify the security group of the inbound connections
Get rid of the elastic IP on the MongoDB server, there is no need for it unless you plan to connect to it from outside your VPC. Modify your servers to use the private internal IP address assigned to your database server when creating connections to it. Finally, lock your security group back down to only allow access to the DB from your other security group(s).
Optional: Create a private hosted zone in Route53, with an A record pointing to your database server's private IP address, then use that hostname instead of the internal IP address.
I am new to this Aws security to deploy in amazon webservice.
When i restrict security groups with some IP address, my application runs dead slow or it may not run also, thats the reason i am getting connection time out when i try to call webservice which is deployed in aws. When i open the IP address restriction in Security groups it works fine.
How to configure my AWS using security groups. so that my application is accessible to only to some restricted networks.
Please help me put on this.
Below are the my security group details
INBOUND
Type Protocol Port range Source
MYSQL TCP 3306 X.X.X.X/X
SSH TCP 22 X.X.X.X/X
HTTP TCP 80 X.X.X.X/X
OUBOUND
Type Protocol Port range Source
MYSQL TCP 3306 0.0.0.0/0
SSH TCP 22 0.0.0.0/0
HTTP TCP 80 0.0.0.0/0
i am using hibernate for DB connection from my web application. But everytime i am getting connection timeout with the above security group. but if i remove the IP address restrictions it works fine.
Note: DB connection works fine from mysql workbench
<property name="hibernate.connection.url">jdbc:mysql://schemaname.amazonDBInsatnce:3306/test</property>
Security Groups will not "slow down" access to an Amazon EC2 instance. They are used to determine which ports are open to a given range of IP addresses. Either the traffic is allowed through, or it is not.
Security Groups can be defined for Inbound and Outbound traffic. By default, all Inbound traffic is denied and all Outbound traffic is permitted.
It is possible that your application is trying to access some external service and is timing-out, hence causing delays. Permitted all Outbound traffic is usually acceptable, so try that first and see if your application performs better.
Also, check the log files that your application is producing to see if any errors are being generated, which will give you a hint as to what might be happening.
I need my about two EC2 instances which need to connection to an outside redis server. The redis conf is binded to 0.0.0.0 to allow this. Is there some sort of a password/auth system for redis connections? I need to way to allow my servers to connect to remote redis but block everyone else.
I know I can do this with iptables by whitelisting only those EC2 ip addresses for port 6379 but I was wondering if there was a proper way to do this.
Redis sports a very basic form of authentication via password protection. To enable it, you'll need to add/uncomment the requirepass directive in your configuration file and have your clients authenticate with the AUTH command.
Another approach would be to use an extra layer of security such as a secure proxy. Here's an howto: http://redislabs.com/blog/using-stunnel-to-secure-redis.
I want to allows nodes in the app-server group talk to mysql and redis machines in the database group. However, I can only make explicit IPs work for ingress rules. When I try to define groups instead, to make auto-scaling easier, the traffic is blocked.
Here's my setup:
When I run
ec2-describe-group database
I get
PERMISSION 890752071609 database ALLOWS tcp 3306 3306 FROM USER 890752071609 NAME default ID sg-5ce3766c ingress
PERMISSION 890752071609 database ALLOWS tcp 3306 3306 FROM USER 890752071609 NAME app-server ID sg-b81b8088 ingress
PERMISSION 890752071609 database ALLOWS tcp 6379 6379 FROM USER 890752071609 NAME default ID sg-5ce3766c ingress
PERMISSION 890752071609 database ALLOWS tcp 6379 6379 FROM USER 890752071609 NAME app-server ID sg-b81b8088 ingress
PERMISSION 890752071609 database ALLOWS tcp 0 65535 FROM USER 890752071609 NAME database ID sg-d262f1e2 ingress
PERMISSION 890752071609 database ALLOWS tcp 22 22 FROM CIDR 0.0.0.0/0 ingress
However, when I try to connect to port 6379 using redis-cli from a machine in the app-server group, I get a redis timeout error.
If I explicitly add the elastic IP of the server I want to connect from, like this
PERMISSION 890752071609 database ALLOWS tcp 3306 3306 FROM CIDR 111.snip.25/32 ingress
PERMISSION 890752071609 database ALLOWS tcp 6379 6379 FROM CIDR 222.snip.25/32 ingress
the redis-cli call works. However, I want to be more flexible, and add the entire security group instead.
The amazon docs state
By specifying a security group as the source, you allow incoming traffic from all instances that belong to the source security group. The incoming traffic that you allow is based on the private IP addresses of the instances in the source security group. You might specify another security group in your account if you're creating a three-tier web service (see Creating a Three-Tier Web Service).
This should work, no? What am I doing wrong?
Few recommendations to check/ try:
AWS sec groups do not allow cross regions rules. I don't know if your Redis machines are in the same region.
Try to create this setup from AWS Web Interface or from Dome9 Console (www.dome9.com) to make sure that there are no hidden settings that are not displayed.
Don't loose hope - this kind of setup should work - AWS sec groups were designed for this use case.