Security Groups got it’s own post, because I think Amazon did it very well, and is very important. When you first set up a EC2 server you have to attach a Security Group which basically tells the server who is allowed to do what on this server. This covers SSH, FTP, HTTP, and everything else.
Personally, I love this and here are a few examples of when, and how, I have used it.
SSH Access: Who needs it? Me…why? Because I have to setup the server and manage it. Who else needs it? NO ONE! That being said, why just leave it open to be accessed by any computer. With Amazon AWS I have the ability to easily manage who is allowed in, based on their IP address. So, I set that to my IP address, and every one else is blocked. Now, if I need to add a computer, I can easily jump into the Amazon AWS Manager and add another address.
Staging Server: Typically, for my larger sites, I use a three tiered development process. I have a development server at home on a Mac Mini, with a small database set for testing new things out. When the new modules are at about 90% complete, I move push them up to the staging server, which is a small EC2 instance that sits next to the production server. This is where I continue to build out the new code and test it against the full database set. With the Amazon AWS Manager I can easily allow certain IP addresses access to this server. Mine being one of them, the client’s, and anyone else I need to have test it can.
There are just a few of the many reasons why limiting who has access to what ports is a good thing. As a default setting, Amazon sets all ports to NO ACCESS of any kind, so it’s your job to go in and open them up. Now, you have to determine what you want open, but to get through this tutorial, we will have to open up SSH and HTTP.
Step 1: Get logged in to the Amazon AWS Manager and click on the EC2 tab at the top. Once the interface opens up, look down the left hand side and select “Security Groups.” Now, if you have already added an EC2 server all you have to do is select the security group that you used when setting it up. (IMPORTANT: You cannot change Security Groups once it is attached to an EC2 Instance.) For demo purposes I am going to go ahead and create a new security group. You don’t get charged anything extra for creating security groups, so at the top of the window that opens click “Create Security Group.” Enter a Name and Description for the Group and click “Yes, Create.”
Step 2: After you have create a new security group it will be selected and you will notice in the bottom half of the window there are two tabs…”Details,” and “Inbound,” click “Inbound.” On the left hand side you will see a form that allows you to add “Rules” to your security group, and on the right hand side it is blank, because you haven’t added any rules. If you goto WhatIsMyIP.com you can capture what your IP address is…mine is 220.127.116.11.
To open up a single port, you will need to select what you are creating a new rule for, in this case SSH, and enter a source IP address, and use CIDR notation to define the permissions. Sounds fun huh? Well, let me tell you, learning this stuff is important and a massive pain in the ass. That being said, the first service I am going to open up is going to be SSH, so I will choose that from the dropdown and then enter the IP address I wish to open it up to. For the purpose of this test you can simply enter 0.0.0.0/0 and this will open it to everyone, I am going to enter 18.104.22.168/32, and click “Add Rule.” Now if you try to connect to the server at this time it’s going to boot you. Why? Because you haven’t applied the rule changes yet…we’ll get to that in a second. Next, I am going to select HTTP from the drop down, and enter 0.0.0.0/0 as the source, allowing everyone to access it, and click “Add Rule.”
After I have all my rules in place, I will click “Apply Rule Changes” and my changes will be saved to the Firewall. We are now good to go.
Now that we have added the server and setup the security group we will move onto setting up the actual server. The next post will be a detailed tutorial on how to use the command prompt to connect, update, upgrade, and install several modules to get a web server up and running.