By default, all ports are closed in EC2 until a user opens them up. I would like to keep this behavior but also open up all ports for internal usage (that is, EC2 nodes can communicate with each other on any port but not with the outside world).
The documentation on EC2 security groups does not specify if this is the default behavior or how one would go about doing this. The command line tools provide a way to do this but only if I make each node its own security group and then allow only the groups to talk to each other.
Do you know how I would be able to use the EC2 tools to allow all traffic between nodes in EC2 (or documentation that could help)?
Answer
After spawning up some nodes and testing it out myself, the behavior is as follows.
The security group's ports start off all closed, and the ec2-authorized command opens up a given port or range of ports. Then, any box can connect to any box in that security group on that port. This also means that any box in the security group can only connect to other boxes in the same security group on open ports in the security group.
To solve the problem as originally specified, I simply opened all ports in the security group to ensure my nodes can talk to each other on any port and then used iptables to lock down access from the outside world to my boxes except on the few ports that are needed.
No comments:
Post a Comment