AWS Security Groups

A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance in a VPC, you can assign up to five security groups to the instance. Security groups act at the instance level, not the subnet level. Therefore, each instance in a subnet in your VPC can be assigned to a different set of security groups.

Doc

• https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html

Configuration

Warning

There is currently no automated authorized ssh rule for CCME Private Security Group. You have to add manually the ssh as authorized rule in the CCME Private Security Group ingress.

Resources

Components attached to the Front Security Group:

• Application Load Balancer

Components attached to the Private Security Group:

• Management Host(s)

• HeadNode

Components attached to the Compute Security Group:

• Linux Compute Node(s)

• Windows Compute Node(s)

CCME Front Security Group

The front security group is opened to everyone. Whether it is accessible from the Internet or not depends on the configuration you use when deploying the Management Stack (variable application_load_balancer_scheme in deployment.ccme.conf, values: internet-facing or internal).

Resources concerned:

• CCME Application Load Balancer

Default configuration

• Egress:

  To: "0.0.0.0/0"
  Port(s): "ALL"
  

• Ingress:

  From: "0.0.0.0/0"
  Port(s): "443"
  

CCME Private Security Group

The private security group does not accept external connections except from the compute security group and the front security group

Resources concerned:

• Management Host(s)

• HeadNode

Default configuration

• Egress:

  To: "0.0.0.0/0"
  Port(s): "ALL"
  

• Ingress:

  From: "CCME Front Security Group"
  Port(s): "443, 8443"
  

  From: "CCME Private Security Group"
  Port(s): "ALL"
  

  From: "CCME Compute Security Group"
  Port(s): "ALL"
  

CCME Compute Security Group

The compute security group does not accept external connections except from the private security group and the front security group

Resources concerned:

• Linux Compute Node(s)

• Windows Compute Node(s)

Default configuration

• Egress:

  To: "0.0.0.0/0"
  Port(s): "ALL"
  

• Ingress:

  From: "CCME Front Security Group"
  Port(s): "443, 8443"
  

  From: "CCME Private Security Group"
  Port(s): "ALL"
  

  From: "CCME Compute Security Group"
  Port(s): "ALL"