From the course: AWS Essential Training for Developers

Using security groups as firewalls

- So let's say that this cable represents our external internet traffic, and we're going to connect it to our network interface so that our customers can access our web server. Now, for anyone who's run servers before, or set up a home network, you would know that what I'm doing here is a pretty bad idea. This is unfiltered internet traffic, which means that unless I'm plugging this cord first into a firewall, or say a home router, or I'm running a software firewall on my server, that I'm exposing my server to attacks from hackers that are scanning Amazon's IP ranges, just looking for exposed servers like this one. To solve this, Amazon uses security groups, which act as simple firewalls, which allow you to expose only the parts of your server that are configured for public internet traffic. Think of these as line filters on ethernet cords going into your servers. If you do see a security group on a diagram, it's usually a black and red dashed line that is drawn around the resource it's protecting, such as an EC2 instance. Now that I've got a security group in place, I'm ready to connect back to the public internet. Let's take a look at an example diagram, and then we'll make a change to our security group. Back in the EC2 console, select your first web server instance, and under the Security tab, you'll see that my instance is running a security group called Launch Wizard 1. When creating new security groups from the EC2 Launch Wizard, you can assign different names to new security groups before creating the instance by clicking the Edit button and giving the security group a different name. But once the security group is created, like Launch Wizard 1, you can't edit its name. Once your account gets more usage, keeping up with your security groups can be challenging. In the EC2 console, on the left hand menu, under Network and Security, click on Security Groups. Select the security group Launch Wizard 1, and at the top, click on the Actions pull down. Click the option Copy to New Security Group for security group name, type webservers. And for description, type Allows Public SSH and HTTP for webservers. Under the inbound rules, this security group allows 0.0.0.0/0, and the forward slash here is called a netmask, and it's a shorthand abbreviation for an IP address range. The pull down underneath Source tells us that this will allow traffic from anywhere. If instead, you selected My IP, the /32 means the range is a single IP address. So the range is only limited to the current public IP address of your computer. Whereas /0 here means the range is all IP addresses. Select Anywhere, IP version 4. So this bottom rule says that the server will accept incoming traffic over Port 22, which is the SSH port, from any IP address on the internet. It's not a great idea to have our SSH port publicly exposed to the entire internet, even though AWS gave us a really long and secure private key to use when we created the key pair. Throughout the rest of this chapter, we are going to discuss some other networking strategies that will give you better security. Our security group will also accept any traffic over Port 80, which is the default HTTP port used by web servers that are not encrypting their traffic. Next to the HTTP Port 80 rule, click the Delete button, and we're going to see what this does to our web server. Also, look down at the outbound rules, and you'll see that this server can make an outbound connection with any destination on the internet using any protocol. So this means that our server can go out on the internet and get software updates or use external APIs. Click Create Security Group. On the left hand menu, under Instances, click on Instances, and click on your first running EC2 instance. At the top, in the Actions pull down, under Security, select the option that says Change Security Groups. In the search bar, you can click inside of it and click on the auto completed web server security group, or type webservers to search for it. Click Add Security Group. Instances can use multiple security groups, and their rules stack together. So since Launch Wizard 1 still has the HTTP port open, click Remove next to it. Now click Save. Click on the first instance again, and under the Details tab, click Copy next to the IP version 4 public address. Open a new browser tab, type http:// and paste in the public IP address and hit Enter. You'll see that the web server is now inaccessible because the HTTP Port, Port 80, is not listed as an allowed port, and it's being blocked by the security group. Go back to your previous browser tab, and in the EC2 console, under Security Groups, click on the web server's security group, and under Actions, click Edit Inbound Rules. Click the Add Rule button. In the Type pulldown, select HTTP. This will automatically fill out this rule as being TPC Port 80. For the source, click the pulldown and select Anywhere, IP Version 4. Click Save Rules. Jump back over to the tab that you have up with our web server's public address. Press the Refresh button in your browser, and you should see the web server come back up. Now let's make sure our second instance is using the web server's security group. On your own, repeat the instructions for removing the old security group from your second instance, and assign only the web server's security group to it. Now, let's up our security game and talk about some ways you can securely hide entire servers from public internet traffic and create a private network.

Contents