Security group

Security groups work a bit like firewalls. All EC2 instances have a set of security groups assigned to them. Each security group contains rules to allow traffic to flow inbound (ingress) and/or outbound (egress).

For this exercise, we will create a small web application running on port tcp/3000. In addition, we want to be able to ssh into the instance, so we also need to allow inbound traffic to port tcp/22. We will create a simple security group to allow this, using the following steps:

  1. First, we need to find out our default Virtual Private Cloud (VPC) ID. Despite being in a cloud environment, where the physical resources are shared by all AWS customers, there is still a strong emphasis on security. AWS segmented their virtual infrastructure using a concept of a VPC; you can imagine it as being a virtual data center with its own network. The security groups which protect our EC2 instances are tied subnets, which in turn are tied to the network that the VPC provides:

To identify our VPC ID, we can run the following command:

$ aws ec2 describe-vpcs
{
    "Vpcs": [
        {
            "VpcId": "vpc-f7dc4093",
            "InstanceTenancy": "default",
            "State": "available",
            "DhcpOptionsId": "dopt-0be0426e",
            "CidrBlock": "172.31.0.0/16",
            "IsDefault": true
        }
    ]
}
  1. Now that we know the VPC ID (yours will be different), we can create our new security group, as follows:
$ aws ec2 create-security-group 
      --group-name HelloWorld 
      --description "Hello World Demo" 
      --vpc-id vpc-f7dc4093
  {
    "GroupId": "sg-11d4fe68"
  }
  1. By default, security groups allow all outbound traffic from the instance; we just need to open up ssh (tcp/22) and tcp/3000 for inbound traffic, as follows:
$ aws ec2 authorize-security-group-ingress 
      --group-name HelloWorld 
      --protocol tcp 
      --port 22 
      --cidr 0.0.0.0/0

$ aws ec2 authorize-security-group-ingress 
      --group-name HelloWorld 
      --protocol tcp 
      --port 3000 
      --cidr 0.0.0.0/0
  1. We can now verify the change, using the following code, as the previous commands aren't verbose:
$ aws ec2 describe-security-groups 
      --group-names HelloWorld 
      --output text
SECURITYGROUPS Hello World Demo  sg-11d4fe68 HelloWorld  511912822959   vpc-f7dc4093
IPPERMISSIONS  22 tcp   22
IPRANGES 0.0.0.0/0
IPPERMISSIONS  3000  tcp   3000
IPRANGES 0.0.0.0/0
IPPERMISSIONSEGRESS  -1
IPRANGES 0.0.0.0/0

As expected, we opened up the traffic to the proper ports. If you know how to find out your public IP, you can improve the ssh rule by replacing 0.0.0.0/0 with your-ip/32 so that only you can try to ssh into that ec2-instance.

Using the aws cli --ouput option
By default, most of the command will return a JSON output. Structured logs like JSON are ideal for machine processing but are sometimes hard to parse for humans. AWS has a certain number of options globally available. You can see them used a bit in this chapter. The first option is --output [json | text | table]:
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset