- EC2 instance
- running applications e.g. web server
- running as DNS server
- RDS - Database server
- EFS file system
- Elastic Load Balancer
- VPC peering rules
Security groups are VPC-specific (and therefore region-specific). They can only be used within the VPC they are created. The exception is where there is a peering connection to another VPC, in which case they can be referred to in the peered VPC.
For Security Group we can set:
- Name
- Description
- VPC. VPC is region-specific so is security group.
- Inbound rules
- Outbound rules
- Type. The protocol to open to network traffic. You can choose a common protocol, such as SSH (for a Linux instance), RDP (for a Windows instance), and HTTP and HTTPS to allow Internet traffic to reach your instance. You can also manually enter a custom port or port ranges.
- Protocol. The type of protocol, for example TCP or UDP. Provides an additional selection for ICMP.
- Port range. For custom rules and protocols, you can manually enter a port number or a port range.
- Source. Determines the traffic that can reach your instance. Specify a single IP address, or an IP address range in CIDR notation (for example, 203.0.113.5/32). If connecting from behind a firewall, you'll need the IP address range used by the client computers. You can specify the name or ID of another security group in the same region. To specify a security group in another AWS account (EC2-Classic only), prefix it with the account ID and a forward slash, for example: 111122223333/OtherSecurityGroup.
- Description. A description for a security group rule.
A description can be up to 255 characters in length.
Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=;{}!$*.
Example: we have a Node.js application that is receiving traffic on port 8080, only from a Load Balancer that is on the same VPC. This means we need to create an Inbound rule:
- Type: Custom TCP
- Protocol: TCP
- Port range: 8080
- Source: Custom; CIDR block: 172.0.0.0/16 (in our example we're using a default VPC so we'll put here its private IP address block thus allowing only access from the private network)
Terraform Security Group resource
aws_security_group | Resources | hashicorp/aws | Terraform Registry
Terraform Security Group Rule resource
It represents a single ingress or egress group rule, which can be added to external Security Groups:
aws_security_group_rule | Resources | hashicorp/aws | Terraform Registry
Required arguments:
- from_port: start port
- to_port: end port
- protocol
- icmp
- icmpv6
- tcp
- udp
- all
- security_group_id: Security group to apply this rule to.
- type
- ingress (inbound)
- egress (outbound)
- self. Whether the security group itself will be added as a source to this ingress rule.
- source_security_group_id. Security group id to allow access to/from, depending on the type.
- ...
Because security group rule gets attached to the security group, we need to instruct Terraform to provision security group rule after the security group. We do this by using depends_on meta argument:
resource "aws_security_group_rule" "my_ec2_ssh" {
type = "ingress"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = var.ssh_ip_range
security_group_id = aws_security_group.my_ec2_sg.id
depends_on = [aws_security_group.my_ec2_sg]
}
Resources:
Security group rules for different use cases - Amazon Elastic Compute Cloud
No comments:
Post a Comment