官术网_书友最值得收藏!

  • Effective DevOps with AWS
  • Yogesh Raheja Giuseppe Borgese Nathaniel Felsen
  • 465字
  • 2021-07-23 16:27:28

Security groups

Security groups work a bit like firewalls. All EC2 instances have a set of security groups assigned to them, and each security group contains rules to allow traffic to flow inbound (ingress) and/or outbound (egress).

For this exercise, we will create a small web application running on port tcp/3000. In addition, we want to be able to SSH into the instance, so we also need to allow inbound traffic to port tcp/22. We will create a simple security group to allow this, by performing the following steps:

  1. First, we need to find out our default virtual private cloud (VPC) ID. Despite being in a cloud environment, where the physical resources are shared by all AWS customers, there is still a strong emphasis on security. AWS segmented their virtual infrastructure using the concept of VPC. You can imagine this as being a virtual datacenter with its own network. The security groups that protect our EC2 instances are tied with subnets that in turn are tied to the network that the VPC provides:

To identify our VPC ID, we can run the following command:

    $ aws ec2 describe-vpcs
{ "Vpcs": [ { "VpcId": "vpc-4cddce2a", "InstanceTenancy": "default", "CidrBlockAssociationSet": [ { "AssociationId": "vpc-cidr-assoc-3c313154", "CidrBlock": "172.31.0.0/16", "CidrBlockState": { "State": "associated" } } ], "State": "available", "DhcpOptionsId": "dopt-c0be5fa6", "CidrBlock": "172.31.0.0/16", "IsDefault": true } ] }
  1. Now that we know the VPC ID (yours will be different), we can create our new security group, as follows:
    $ aws ec2 create-security-group \
        --group-name HelloWorld \
        --description "Hello World Demo" \
        --vpc-id vpc-4cddce2a
{ "GroupId": "sg-01864b4c" }
  1. By default, security groups allow all outbound traffic from the instance. We just need to open up SSH (tcp/22) and tcp/3000 for inbound traffic. We then need to input the following:
    $ aws ec2 authorize-security-group-ingress \
        --group-name HelloWorld \
        --protocol tcp \
        --port 22 \
        --cidr 0.0.0.0/0
    
    $ aws ec2 authorize-security-group-ingress \
        --group-name HelloWorld \
        --protocol tcp \
        --port 3000 \
        --cidr 0.0.0.0/0  
  1. We can now verify the change made using the following code, as the previous commands aren't verbose:
    $ aws ec2 describe-security-groups \
        --group-names HelloWorld \
        --output text
SECURITYGROUPS Hello World Demo sg-01864b4c HelloWorld
094507990803 vpc-4cddce2a IPPERMISSIONS 22 tcp 22 IPRANGES 0.0.0.0/0 IPPERMISSIONS 3000 tcp 3000 IPRANGES 0.0.0.0/0 IPPERMISSIONSEGRESS -1 IPRANGES 0.0.0.0/0

As expected, we opened up the traffic to the proper ports. If you know how to find your public IP, you can improve the SSH rule by replacing 0.0.0.0/0 with your IP/32 so that only you can try to SSH into that EC2 instance.

Using the aws cli --output option
By default, most of the commands will return a JSON output. AWS has a a certain number of options globally available. You can see them used a bit in this chapter. The first option is --output [json | text | table]:

主站蜘蛛池模板: 舒兰市| 敦化市| 峨边| 黄山市| 阜南县| 永清县| 洛浦县| 宜春市| 曲阳县| 湘潭市| 称多县| 绍兴市| 阜平县| 金川县| 长沙市| 汝阳县| 丽江市| 吴堡县| 长海县| 湘潭县| 油尖旺区| 万州区| 庆城县| 二连浩特市| 威宁| 乌鲁木齐县| 衡水市| 石河子市| 屏边| 大新县| 墨江| 凯里市| 洪湖市| 沁阳市| 巩义市| 海阳市| 伊春市| 五寨县| 金昌市| 新营市| 北碚区|