Versions Compared

Old Version 8

changes.mady.by.user Eddie Rubeiz

Saved on

compared with

New Version 9

changes.mady.by.user Eddie Rubeiz

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Currently we are using a set of security groups:Our security groups are administered at https://console.aws.amazon.com/ec2/v2/home?region=us-east-1#SecurityGroups: .

A security group allows certain IP addresses to connect a machine, once the machine has been added to the security group like this:

aws ec2 modify-instance-attribute --instance-id THE_MACHINE_S_INSTANCE_ID --groups LIST_OF_GROUPS --profile security

Security Group

Description

Ports

Details

Notes

CHF-Access-WebCHF internal web access80, 443

See list of internal addresses [[here]]Includes Offsite access addresses for Jonathan

Management-Access

worldwide ssh access

22

All machines MUST have

The production and staging ArchivesSpace servers need this group to allow developers to ssh

access

to them.

Currently

This allows worldwide ssh access

,

; we're using SSH keys to

lock things down

control access.


Public-Access-Web

Public web access

80, 443

Open worldwide, to

be applied to public web facing servers. App servers only

allow public web access to the production and staging ArchivesSpace servers.


Temp-

Development

Production

short term

dev

production firewall rules

??Please use this

8983

Used for short

term access, rules in here may be cleared off

Temp-Production

short term production firewall rules??Please use this for short term access, rules in here may be cleared offPlease use this

-term access to the SOLR configuration on ArchivesSpace production from developers' IP addresses.


`

Temp-Staging

short term staging firewall rules

??

8983

Used for short

term access, rules in here may be cleared offAndrew, for rebranding, has access.internal-networking-productionAccess between production machines8080, 8983, 6379, 5432, 19999All Samvera machines must be members of this group so they can communicate to share REST data, port 8080 is Fedora, 8983 is Solr, 6379 is Redis, 5432 is Postgres, 19999 is netdata for monitoring.Do not mix production and staging boxes, this divide avoids security group rule tests from impacting production. The only box on both is monitor to watch both groups.internal-networking-stagingAccess between staging machines8080, 8983, 6379, 5432, 19999All Samvera machines must be members of this group so they can communicate to share REST data, port 8080 is Fedora, 8983 is Solr, 6379 is Redis, 5432 is Postgres, 19999 is netdata for monitoring.Do not mix production and staging boxes, this divide avoids security group rule tests from impacting production. The only box on both is monitor to watch both groups.

-term access to the SOLR configuration on ArchivesSpace production from developers' IP addresses.


🚨 The following security groups are scheduled for removal subsequent to our move to Heroku:

Security Group

Description

Ports

Details

Notes

CHF-Access-Web

CHF internal web access

80, 443

See list of internal addresses [[here]]Includes Offsite access addresses for Jonathan

Allows a list of employees to connect to 80 and 443. This is not being applied to any machines; both staging and production ASpace already allow access to those two ports via Public-Access-Web

Public web access80, 443Open worldwide, to be applied to public web facing servers. App servers only.

Temp-Development

short term dev firewall rules??Please use this for short term access, rules in here may be cleared off

Temp-Production

short term production firewall rules??Please use this for short term access, rules in here may be cleared off

Temp-Staging

short term staging firewall rules??Please use this for short term access, rules in here may be cleared offAndrew, for rebranding, has access.

.

Includes Offsite access addresses for Jonathan

internal-networking-production

Access between production machines

8080, 8983, 6379, 5432, 19999

All Samvera machines

must

needed to be members of this group so they can communicate to share REST data

, port

.

Port 8080 is Fedora, 8983 is Solr, 6379 is Redis, 5432 is Postgres, 19999 is netdata for monitoring.

Do not mix production and staging boxes, this divide avoids security group rule tests from impacting production. The only box on both is monitor to watch both groups.

internal-networking-staging

Access between staging machines

8080, 8983, 6379, 5432, 19999

All Samvera machines

must

needed to be members of this group so they can communicate to share REST data

, port

.
Port 8080 is Fedora, 8983 is Solr, 6379 is Redis, 5432 is Postgres, 19999 is netdata for monitoring.

Do not mix production and staging boxes, this divide avoids security group rule tests from impacting production. The only box on both is monitor to watch both groups.

When a machine has multiple security groups, as long as any one of the groups allows access the connection will work through the firewall. Anything not covered will be rejected however.