Examples
We illustrate the use of the AmazonĀ EC2 firewall in the following two examples. Note that we use the command line tools throughout the examples. The same results can be achieved using the SOAP API.
-
Albert launches a copy of his favourite public AMI
$ec2-run-instances ami-eca54085 RESERVATION r-01927768 598916040194 INSTANCE i-cfd732a6 ami-eca54085 pending 0 -
After a little wait for image launch to complete, Albert, who is a cautious type, checks the access rules of the default group
$ec2-describe-group default GROUP 598916040194 default default group PERMISSION default ALLOWS all FROM USER 598916040194 GRPNAME defaultand notices that it only accepts ingress network connections from other members of the default group for all protocols and ports.
-
Albert, being paranoid as well as cautious, port scans his instance
$nmap -P0 -p1-100 domU-12-31-33-00-01-56.usma1.compute.amazonaws.com Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-08-07 15:42 SAST All 100 scanned ports on domU-12-31-33-00-01-56.usma1.compute.amazonaws.com (216.182.228.116) are: filtered Nmap finished: 1 IP address (1 host up) scanned in 31.008 seconds -
Albert decides he should be able to SSH into his instance, but only from his own machine
$ec2-authorize default -P tcp -p 22 -s 192.168.1.130/32 GROUP default PERMISSION default ALLOWS tcp 22 22 FROM CIDR 192.168.1.130/32 -
Repeating the port scan
$nmap -P0 -p1-100 domU-12-31-33-00-01-56.usma1.compute.amazonaws.com Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-08-07 15:43 SAST Interesting ports on domU-12-31-33-00-01-56.usma1.compute.amazonaws.com (216.182.228.116): (The 99 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE 22/tcp open ssh Nmap finished: 1 IP address (1 host up) scanned in 32.705 secondsAlbert is happy (or at least less paranoid).
Mary wishes to deploy her public, fault tolerant, three tier web service in AmazonĀ EC2. Her grand plan is to have her web tier start off executing in seven instances of ami-fba54092, her application tier executing in twenty instances of ami-e3a5408a, and her multi-master database in two instances of ami-f1a54098. She's concerned that nasty people might gain access to her subscriber database, so she wants to restrict network access to her middle and back tier machines. When the traffic to her site increases over the holiday shopping period, she adds additional instances to her web and application tiers to handle the extra load.
-
First she creates a group for her Apache web server instances and allows HTTP access to the world
$ec2-add-group apache -d "Mary's Apache group" GROUP apache Mary's Apache group$ec2-describe-group apache GROUP 598916040194 apache Mary's Apache group$ec2-authorize apache -P tcp -p 80 -s 0.0.0.0/0 GROUP apache PERMISSION apache ALLOWS tcp 80 80 FROM CIDR 0.0.0.0/0$ec2-describe-group apache GROUP 598916040194 apache Mary's Apache group PERMISSION 598916040194 apache ALLOWS tcp 80 80 FROM CIDR 0.0.0.0/0She then launches seven instances of her web server AMI as members of this group
$ec2run ami-fba54092 -n 7 -g apache RESERVATION r-01927768 598916040194 INSTANCE i-cfd732a6 ami-fba54092 pending ...$ec2din i-cfd732a6 RESERVATION r-0592776c 598916040194 INSTANCE i-cfd732a6 ami-fba54092 domU-12-31-33-00-04-16.usma1.compute.amazonaws.com running ...Having studied at the same school of paranoia as Albert, Mary does a port scan to confirm the permissions she just configured
$nmap -P0 -p1-100 domU-12-31-33-00-04-16.usma1.compute.amazonaws.com Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-08-07 16:21 SAST Interesting ports on domU-12-31-33-00-04-16.usma1.compute.amazonaws.com (216.182.231.20): (The 99 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE 80/tcp open http Nmap finished: 1 IP address (1 host up) scanned in 33.409 secondsAnd then she tests to make sure her web server is contactable
$telnet domU-12-31-33-00-04-16.usma1.compute.amazonaws.com 80 Trying 216.182.231.20... Connected to domU-12-31-33-00-04-16.usma1.compute.amazonaws.com (216.182.231.20). Escape character is '^]'.Excellent!
-
She now creates a separate group for her application server
$ec2-add-group appserver -d "Mary's app server" GROUP appserver Mary's app serverthen starts twenty instances as members of this group
$ec2run ami-e3a5408a -n 20 -g appserverand grants network access between her web server group and the application server group
$ec2-authorize appserver -o apache -u 598916040194 GROUP appserver PERMISSION appserver ALLOWS all FROM USER 598916040194 GRPNAME apacheShe checks to ensure access to her app server is indeed restricted by port scanning one of the app servers
$nmap -P0 -p1-100 domU-12-31-33-00-03-D1.usma1.compute.amazonaws.com Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-08-07 15:42 SAST All 100 scanned ports on domU-12-31-33-00-03-D1.usma1.compute.amazonaws.com (216.182.228.12) are: filtered Nmap finished: 1 IP address (1 host up) scanned in 31.008 seconds -
To confirm that her web servers have access to her application servers she needs to do a little extra work...
-
She (temporarily) grants SSH access from her workstation to the web server group
$ec2-authorize apache -P tcp -p 22 -s 192.168.1.130/32 -
She logs in to one of her web servers and connects to an application server on TCP port 8080
$telnet domU-12-31-33-00-03-D1.usma1.compute.amazonaws.com 8080 Trying 216.182.228.12... Connected to domU-12-31-33-00-03-D1 .usma1.compute.amazonaws.com (216.182.228.12). Escape character is '^]' -
Satisfied with the setup, she revokes SSH access to the web server group
$ec2-revoke apache -P tcp -p 22 -s 192.168.1.130/32
-
Creating the group for database servers and granting access to them from the application server group is left as an exercise for the reader ;-)