2

I want to set up security group for an ec2 instance(Linux). There are services running on it like mem cached, python, dhclient, nodejs etc. How do i know which IP/CIDR-block should my server be listening to on a particular port? Eg. if mysqld is running on port 3306, what should be the source CIDR/IP/SG and how to find it out? (inbound rules)

p.s. It is a vpc with various webservers, database-servers, CMS, Solr etc. I need to setup security groups for each of these. Specifically, I need to know what instance is talking to what other machines in the VPC. Presently security group setup is open for all. I need to secure it

Aso'K
  • 21
  • 6
  • Since i don't know what is talking to what in my VPC; can I use NATGateway to secure the VPC. If yes how? – Aso'K Nov 08 '16 at 11:03

2 Answers2

1

Consider if you are running mysqld on database server, you simply need to open 3306 port in the database server's security group to the web server's security group. So all the web servers will have access to database servers.

priyanka sharma
  • 11
  • 1
  • Okay, but is there a way to map mem cached, dhclient (bootpc_port_68 and some other dhclient is running on some other port), nodejs services. How do i find out which servers are accessing what service so that i can open the respective port for the respective security groups. – Aso'K Nov 08 '16 at 12:55
1

If you want to adjust your security groups for a server then you need to do the following:
1. Get a scope of all your servers.

2. Inbound rules:
2.1 Specify security groups of your servers as source and a port that is using for a certain service (3306 for mysqld).
2.2 Specify your ip address that you will manage that server from with 22 port for ssh.

3. Outbound rules:
3.1 You can limit a number of ip addresses that your server will be allowed to connect to.

More infor available here: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Appendix_NACLs.html

Anton Zorin
  • 180
  • 8
  • The issue with point 2.1 remains same. Say for eg. I have no idea what all servers from VPC are accessing mem cached service on the port 23456; I don't know what security groups do I need to add. Specifically, I need to know what servers are accessing my services so that i can add their security groups. How can i do that? – Aso'K Nov 08 '16 at 13:02
  • You can do that with VPC peering. Place your Memcached servers to a separate VPC and configure VPC peering. https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html – Anton Zorin Jan 09 '21 at 13:04