Your Porticor Appliance and the AWS Firewall
Each virtual server in the Amazon Cloud comes with a simple, built-in firewall. The firewall is configured using something called "security groups". Unfortunately, these security groups are the single biggest source of trouble for new users.
Before we continue, here is the most important point about security groups: you need to plan in advance. You cannot add a security group to an instance after it had been launched. You can change (reconfigure) an existing security group, but it's often too late.
Having put this behind us, the configuration of security groups for the Porticor appliance is really quite simple. You might want to skim the relevant section of the EC2 User Guide for a fuller understanding of security groups.
When you start an appliance with the Quick Launch wizard, your appliance is associated with two security groups: a security group generated by the wizard, and the account's Default security group.
The newly generated group simply allows incoming HTTPS (SSL-encrypted HTTP over port 443) and SSH, so that the appliance can be administered. This is what the administration security group looks like:
The source 0.0.0.0/0 simply means, "any IP address on the Internet".
The Default group is even more critical for the regular operation of the appliance: it allows any instance that belongs to the same group to access any port on the appliance. This is how your servers can mount encrypted disks!
Here is a screenshot of the Default group:
So here are some of your recommended options:
- The simplest one is to use the Quick Launch wizard which will associate the appliance with the Default group. Then, make sure that your server is also associated with the Default group.
- If you launch the appliance manually ("Advanced Launch"), make sure that the appliance is associated with the Default group. Also, don't forget to add a group that allows incoming HTTPS and SSH.
- A more complex (but more secure) option is to create a look-alike of the Default group, call it myNewSecGroup, and to associate both your server and the appliance with this myNewSecGroup. Again, don't forget the administration group.
- Another option is to create a look-alike of the Default group, call it myNewSecGroup, and associate it with the Porticor appliance; but when you define this group, in the "source" field (see screenshot above) to enter the group-name of some group that is already used by your servers (that will be the "clients" of the Porticor appliance)
And what about more granular, port-level policies? We recommend you consider some of the disadvantages of such groups:
- If you configure your open ports for 0.0.0.0/0 - you are actually opening them to the Internet at large; while the alternative above only opens ports to servers inside your own account; so actually the previous options are more limited and more secure than such port-level policies
- Since both NFS and CIFS (the Windows Share protocol) use dynamically allocated ports, you would need to configure carefully and "pin down" NFS and CIFS to the specific ports you use; else you might end up with "partly working" network mounts.
As always, for more help on these matters, please contact us.