We covered how to create and manage AWS security groups. In this how to guide we will extend concept with creating more than a single security group and assigning multiple to a specific EC2 instance.

Scale cloud application deployment over AWS can have different app servers, DB servers, email server, etc. It is advisable to create a separate security group for each functionality or for each port and assign to the respective cloud resources i.e. instances.

In this guide we will create multiple security groups, each will hold the following different functionality: Database, Web App, HTTP, Email. The steps follow important cloud security and firewall best practices.

At start you will have your AWS default single security group. Though once your cloud footprint grows and operation automation take place we strongly recommend to “separate and rule” modules of functionality using multiple security groups include defining and  maintaining separate access permission policies. An AWS instance, can be assigned to more than a single security group. Once an instance is launched you can add or remove security group or just change a specific rule of that related  security group.

1.  Create a security group for the database server.

2.  We will consider that we will use MySQL and MSSQL, So we will need yo enable the relevant ports for each of the database services. In this example we have opened the DB ports only for specific IP range. It is a good practice to keep your group safe so the ports are opened for your organization access only.

3.  Create a security group for the remotely connected instances via SSH / RDP. Again we will restrict the access to a specific IP only. This is very important since if you specify “0.0.0.0/0″ that really means your allowing every IP address access the specified protocol and port range.

RDP is enabled on TCP port 3389, but only for the IP address 100.10.10.10.  Note that after the IP address, you don’t specify “/0″.  If you do, every computer in the world would have access to that port.  To restrict access to a single address specify “/32″ after the IP.

4.  Set the MySQL service so that it can be access from the web server only. TO achieve this, first you need to procure a elastic IP. Notedown that IP and assign it to your web/app server. Now open mysql only for your elastic IP.

The above is a best practice so only the app / web server can connect to your database and no one even from your internal organization will be able to connect it

5.  Setup HTTP & HTTPS port for app /web server.

 As shown above we have opened port for all IPs since our web application is accessed from internet by any IP.

6. Setup the SMPT port. We will use the command line tool to setup SMTP port.

13.  Enter the AWS cloud console to validate the creation of the security group.

14.  Launch an instance and assign multiple security groups to the newly created instance.

18.  The advantage of above exercise is we have not separate group for each functionality.

19.  Once you decide to do horizontal scaling or want to have separate DB instance, create a separate DB security group for that instance and just modify the DB security group created in step#9 by removing all the rules.

20.  Thus we will have much better rule and firewall management with separate security groups.

21.  If we had kept single security group, we have to ensure that it is specific to instance and also modify from the list of multiple ports opened. There are bigger chances of mistake while keeping single security group that is the reason, we recommend having a separate security group for each functionality and managing them in better way.

No time to attend to your AWS security breaches? Newvem automatically recognizes your database servers, analyzes their vulnerability, and provides you with drill downs covering insights on specific instances for a quick fix turnaround. Learn more

Keywords: amazon AWS cloud, EC2, AWS Instance, Security Groups, AWS Console, AWS CLI, Ports,