Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Save more on your purchases! discount-offer-chevron-icon
Savings automatically calculated. No voucher code required.
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Amazon EC2 Cookbook

You're reading from   Amazon EC2 Cookbook Over 40 hands-on recipes to develop and deploy real-world applications using Amazon EC2

Arrow left icon
Product type Paperback
Published in Nov 2015
Publisher Packt
ISBN-13 9781785280047
Length 194 pages
Edition 1st Edition
Arrow right icon
Toc

Table of Contents (10) Chapters Close

Preface 1. Selecting and Configuring Amazon EC2 Instances FREE CHAPTER 2. Configuring and Securing a Virtual Private Cloud 3. Managing AWS Resources Using AWS CloudFormation 4. Securing Access to Amazon EC2 Instances 5. Monitoring Amazon EC2 Instances 6. Using AWS Data Services 7. Accessing Other AWS Services 8. Deploying AWS Applications Index

Configuring security groups

Security groups are like firewalls for your EC2 instances. If you don't specify the security group while creating instance in EC2-VPC, then AWS automatically assigns the default security group of the EC2-VPC to the instance. We can configure the inbound and outbound rules for security groups. We can also change these inbound and outbound rules while the instance is running. These changes are automatically applied.

For every VPC, we get a default security group, which we can't delete. You can't use a security group that you created for EC2-VPC when you launch an instance in EC2-Classic. You also can't use security group that you created for EC2-Classic, when you launch an instance in EC2-VPC. After you launch an instance in EC2-Classic, you can't change its security group but you can add and delete rules, which are then applied, automatically. But after you launch an instance in EC2-VPC, you can change its security groups, and add and remove rules, which are then applied, automatically.

When you specify a security group as the source or destination for a rule, the rule affects all instances associated with the security group The security groups created for EC2-Classic can only have inbound rules, but security groups created for EC2-VPC can have both inbound and outbound rules.

The limit to create security groups for each region is 500. You can create up to 100 security groups per VPC. You can also assign an unlimited number of security groups to the instance launched in EC2-Classic, whereas only 5 security groups can be assigned to an instance launched in VPC. The number of rules that can be added to each security group on EC2-Classic is 100 and for VPC it is 50.

How to do it…

In this recipe, we first list the commands for creating a security group for EC2-Classic and EC2-VPC. Then, we see how to create inbound and outbound rules. Finally, we list the command for adding the security group to an instance.

Creating a security group for EC2-Classic

By running the following command, you can create the security group in EC2-Classic. You have to provide the security group name and security group description for the security group.

$ aws ec2 create-security-group 
--group-name [SecurityGroupName]
--description [Description]

The parameters used in this command are described as follows:

  • [SecurityGroupName]: This provides the security group name
  • [Description]: This gives the description of the security group

Next, run the following command to create a security group with the WebServerSecurityGroup name in EC2-Classic:

$ aws ec2 create-security-group 
--group-name WebServerSecurityGroup 
--description "Web Server Security Group"

Creating a security group for EC2-VPC

By running the following command, you can create a security group in EC2-VPC. You have to provide the security group name, security group description, and VPC ID for the security group:

$ aws ec2 create-security-group 
--group-name [SecurityGroupName]
--description [Description] 
--vpc-id [VPCId]

The parameters used in this command are described as follows:

  • [SecurityGroupName]: This parameter provides the security group name
  • [Description]: This one gives the description of the security group
  • [VPCId]: This option provides a VPC ID

The following command will create a security group named WebServerSecurityGroup in VPC (vpc-1f33c27a). You can get your VPC IDs by running the aws ec2 describe-vpcs command.

$ aws ec2 create-security-group 
--group-name WebServerSecurityGroup 
--description "Web Server Security Group" 
--vpc-id vpc-1f33c27a

Adding an inbound rule

Run the following command to add an inbound rule to your security group. You will need to provide the security group ID, protocol (TCP/UDP/ICMP), port, and the CIDR IP range.

$ aws ec2 authorize-security-group-ingress 
--group-id [SecurityGroupId] 
--protocol [Protocol]
--port [Port]
--cidr [CIDR]

The parameters used in this command are described as follows:

  • [SecurityGroupId]: This is used to provide the security group ID
  • [Protocol]: This one provides the IP protocol of this permission
  • [Port]: This is used to specify the range of ports to allow
  • [CIDR]: This one gives the CIDR IP range

Next, run the following command to create the inbound rule that allows SSH traffic from IP address 123.252.223.114 in the security group (sg-c6b873a3):

$ aws ec2 authorize-security-group-ingress 
--group-id sg-c6b873a3 
--protocol tcp 
--port 22 
--cidr 123.252.223.114/32

Adding an outbound rule

Run the following command to add an outbound rule to your security group. You will need to specify the security group ID, protocol (TCP/UDP/ICMP), port, and the CIDR IP range.

$ aws ec2 authorize-security-group-egress 
--group-id [SecurityGroupId] 
--protocol [Protocol] 
--port [Port]
--cidr [CIDR]

The parameters used in this command are described as follows:

  • [SecurityGroupId]: This parameter provides the security group ID
  • [Protocol]: This option specifies the IP protocol of this permission
  • [Port]: This is used to give the range of ports to allow
  • [CIDR]: This one gives the CIDR IP range

Then, run the following command to create the outbound rule that allows MySQL traffic from your instance to IP address 123.252.223.114 in the security group (sg-c6b873a3):

$ aws ec2 authorize-security-group-egress 
--group-id sg-c6b873a3 
--protocol tcp 
--port 3866 
--cidr 123.252.223.114/24

Adding the security group to an instance

By running the following command, you can attach the security group to your EC2 instance. You have to provide the EC2 instance ID, and one or more security group IDs:

$ aws ec2 modify-instance-attribute 
--instance-id [InstanceId] 
--groups [SecurityGroupIds]

The parameters used in this command are described here:

  • [InstanceId]: This option gives an EC2 instance ID
  • [SecurityGroupIds]: This option provides the IDs of one or more security groups

Then, run the following command to add the security groups sg-c6b873a3 and sg-ccb873a9 to EC2 instance i-2e7dace3:

$ aws ec2 modify-instance-attribute 
--instance-id i-2e7dace3 
--groups sg-c6b873a3 sg-ccb873a9
You have been reading a chapter from
Amazon EC2 Cookbook
Published in: Nov 2015
Publisher: Packt
ISBN-13: 9781785280047
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image