Opening up ports to your security group on EC2

published Nov 18, 2011

Say you have a cluster of EC2 instances that you want to be able to talk to each other, but you don’t want everyone in the world to be able to join in on the conversation. For example, I was just setting up a typical cluster of servers:

  • A rails app server
  • A DB server
  • A daemon server
  • A DB slave

I want all of these servers to be able to talk to each other over port 3306 (the MySQL port), but I don’t want the whole world to be able to connect over port 3306.

You need two things:

  1. A security group
  2. Your EC2 user id.

Assuming you have your ec2 command line tools set up already, here’s how you would do it. This will create a group called yoursecuritygroup with ports 22 (ssh), 80 (http) and 443 (https) open to the world, but with all other ports only open to other computers in the same security group.

$> ec2-create-group --description "yoursecuritygroup production" yoursecuritygroup
$> ec2-authorize yoursecuritygroup -p 22
$> ec2-authorize yoursecuritygroup -p 80
$> ec2-authorize yoursecuritygroup -p 443
$> ec2-authorize yoursecuritygroup -o yoursecuritygroup -u 1234-1234-1234

You need to add your user id here in place of 1234-1234-1234. You can find this by going to https://aws-portal.amazon.com/gp/aws/developer/account?ie=UTF8&action=access-key and scrolling to the bottom. You want your AWS Account ID.

Now when you spin up your instances, make sure to start them in the yoursecuritygroup group using the --group argument:

ec2-run-instances --key your-key --group yoursecuritygroup --block-device-mapping /dev/sda1=:100:false --instance-initiated-shutdown-behavior stop --disable-api-termination --instance-type m1.small  ami-a7f539ce

And you should be all set.

blog comments powered by Disqus