Opening up ports to your security group on EC2
published Nov 18, 2011
Say you have a cluster of EC2 instances that you want to be able to talk to each other, but you don’t want everyone in the world to be able to join in on the conversation. For example, I was just setting up a typical cluster of servers:
- A rails app server
- A DB server
- A daemon server
- A DB slave
I want all of these servers to be able to talk to each other over port 3306 (the MySQL port), but I don’t want the whole world to be able to connect over port 3306.
You need two things:
- A security group
- Your EC2 user id.
Assuming you have your ec2 command line tools set up already, here’s how you would do it. This will create a group called yoursecuritygroup
with ports 22 (ssh), 80 (http) and 443 (https) open to the world, but with all other ports only open to other computers in the same security group.
$> ec2-create-group --description "yoursecuritygroup production" yoursecuritygroup
$> ec2-authorize yoursecuritygroup -p 22
$> ec2-authorize yoursecuritygroup -p 80
$> ec2-authorize yoursecuritygroup -p 443
$> ec2-authorize yoursecuritygroup -o yoursecuritygroup -u 1234-1234-1234
You need to add your user id here in place of 1234-1234-1234
. You can find this by going to https://aws-portal.amazon.com/gp/aws/developer/account?ie=UTF8&action=access-key and scrolling to the bottom. You want your AWS Account ID.
Now when you spin up your instances, make sure to start them in the yoursecuritygroup
group using the --group
argument:
ec2-run-instances --key your-key --group yoursecuritygroup --block-device-mapping /dev/sda1=:100:false --instance-initiated-shutdown-behavior stop --disable-api-termination --instance-type m1.small ami-a7f539ce
And you should be all set.