AWS Security Groups

A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance in a VPC, you can assign up to five security groups to the instance. Security groups act at the instance level, not the subnet level. Therefore, each instance in a subnet in your VPC can be assigned to a different set of security groups.

Doc

Configuration

Warning

The CCME solution does not allow external access per default. You have to set the following parameters to authorize ssh and https from your Network CIDR:

  • AlbIngressCidrBlock for https to the CCME Front Security Group ingress.

  • NetworkIngressSecurityGroupsSshCidrBlock for ssh to the CCME :

    • Management Security Group ingress.

    • HeadNodes Security Group ingress.

If you need more than one CIDR accessible per Security Group, you have to manually add those CIDR to the Security Groups.

Resources

Components attached to the Front Security Group:

  • Application Load Balancer

Components attached to the Services Security Group:

  • DCV Proxy Instance(s)

Components attached to the Management Security Group:

  • Management Host(s)

Components attached to the HeadNodes Security Group:

  • Head Node(s)

Components attached to the LoginNodes Security Group:

  • Network Load Balancer(s)

  • Login Node(s)

Components attached to the Compute Security Group

  • Linux Compute Node(s)

  • Windows Compute Node(s)

CCME Front Security Group

The Front security group accepts external connections from:

  • Optional parameter: AlbIngressCidrBlock.

Whether it is accessible from the Internet or not depends on the configuration you use when deploying the Management Stack (variable application_load_balancer_scheme in deployment.ccme.conf, values: internet-facing or internal).

Resources concerned:

  • CCME Application Load Balancer

Default configuration

  • Egress:

To: "0.0.0.0/0"
Port(s): "ALL"

  • Ingress:

From: ``AlbIngressCidrBlock``
Port(s): "443"

CCME Services Security Group

The Services security group accepts external connections from:

  • Front security group.

  • Management security group.

Resources concerned:

  • CCME DCV Proxy Instance(s)

Default configuration

  • Egress:

To: "0.0.0.0/0"
Port(s): "ALL"

  • Ingress:

From: "CCME Management Security Group"
Port(s): "22"

From: "CCME Front Security Group"
Port(s): "9443"

CCME Management Security Group

The Management security group accepts external connections from:

  • Optional parameter: NetworkIngressSecurityGroupsSshCidrBlock.

Resources concerned:

  • Management Host(s)

Default configuration

  • Egress:

To: "0.0.0.0/0"
Port(s): "ALL"

  • Ingress:

From: ``NetworkIngressSecurityGroupsSshCidrBlock``
Port(s): "22"

From: "CCME Management Security Group"
Port(s): "ALL"

CCME HeadNodes Security Group

The HeadNodes security group accepts external connections from:

  • Front security group.

  • Services security group.

  • Management security group.

  • LoginNodes security group.

  • ComputeNodes security group.

  • Optional parameter: NetworkIngressSecurityGroupsSshCidrBlock.

Resources concerned:

  • Head Node(s)

Default configuration

  • Egress:

To: "0.0.0.0/0"
Port(s): "ALL"

  • Ingress:

From: "CCME Front Security Group"
Port(s): "18443"

From: "CCME Services Security Group"
Port(s): "8443"

From: "CCME Management Security Group"
Port(s): "22"

From: "CCME HeadNodes Security Group"
Port(s): "ALL"

From: "CCME Compute Security Group"
Port(s): "ALL"

CCME ComputeNodes Security Group

The ComputeNodes security group accepts external connections from:

  • Services security group.

  • Management security group.

  • HeadNodes security group.

Resources concerned:

  • Linux Compute Node(s)

  • Windows Compute Node(s)

Default configuration

  • Egress:

To: "0.0.0.0/0"
Port(s): "ALL"

  • Ingress:

From: "CCME Services Security Group"
Port(s): "8443"

From: "CCME Management Security Group"
Port(s): "22"

From: "CCME HeadNodes Security Group"
Port(s): "ALL"

From: "CCME Compute Security Group"
Port(s): "ALL"

CCME LoginNodes Security Group

The LoginNodes security group accepts external connections from:

  • Management security group.

  • HeadNodes security group.

  • ComputeNodes security group.

  • Optional parameter: NetworkSecurityGroupLoginNodesIngressSshCidrBlock.

Resources concerned:

  • Network Load Balancer(s)

  • Login Node(s)

Default configuration

  • Egress:

To: "0.0.0.0/0"
Port(s): "ALL"

  • Ingress:

From: "CCME Management Security Group"
Port(s): "22"

From: "CCME HeadNodes Security Group"
Port(s): "ALL"

From: "CCME ComputeNodes Security Group"
Port(s): "ALL"

From: ``NetworkSecurityGroupLoginNodesIngressSshCidrBlock``
Port(s): "22"