Monday, March 24, 2008

Elastic Servers and Amazon EC2 Security Groups

If you have accessed the Elastic Server Manager which runs on port 2999 in each virtual machine we create, then you have probably noticed the Firewall tab.

Each Elastic Server comes with a built-in firewall which can be administered via the management UI or its web services. The Firewall tab can be used to manage the ports used by your server.

Some components have their default firewall ports already set in the Firewall tab. That is because someone (most likely us at the moment) has implemented what we call a "firewall rubberband" for that component. The whole topic of using "rubberbands" to snap things into Elastic Servers will be documented more fully in an upcoming post.

Regardless of what the specific server's firewall is doing - when using EC2 - you need to be aware of the Security Group which controls Amazon's firewall and access to your running EC2 image. Currently, we DO NOT coordinate the firewall settings of your VM with the Amazon Security Group (although on the roadmap). In order to access some of your services you may have to manually configure the Amazon Security Group.

Here is an example:

Suppose I build a Shindig OpenSocial server via Elastic Server On-Demand using my Amazon EC2 credentials. When I attempt to access my sample gadgets I can't get a connection via:

http://amazon-public-dns-name:8180/gadgets/files/container/sample1.html

Where my Amazon public DNS name is something like: ec2-72-44-51-65.z-1.compute-1.amazonaws.com

and 8180 is my Tomcat port.

The reason is even though my VM's firewall is accepting traffic on the Tomcat port, the Amazon firewall for my image is not.

To correct this I use the Firefox plugin for EC2 called "EC2 UI". After configuring the plugin with my credentials it lists the Public and Private AMIs I have access to. In the picture below you can see that I have launched an AMI called "pat-dig". You also can see that it has been launched in the "pat-dig" group.


To change the port settings in the security group I click on the Security Groups tab. In the picture below you see the result; the port settings for the pat-dig security group. Port 8180 is not one of them. The ports you see are the default port settings we use when making an AMI through our service.

In the bottom third of the screen you see the Group Permissions. To add the port 8180 permissions for Tomcat, click on the green circle with the checkmark in it. This will pop up the UI box below, where you enter the rule that inbound traffic on port 8180 should be delivered to the VM instance on port 8180.


After entering 8180 as the "from" and "to" ports. I click on add - which results in the refreshed display of the Security Group below.


I can now access my Shindig container running under Tomcat!

Post a Comment
Related Posts Plugin for WordPress, Blogger...