Currently we are using a set of security groups:Our security groups are administered at https://console.aws.amazon.com/ec2/v2/home?region=us-east-1#SecurityGroups.
A security group allows certain IP addresses to connect a machine, once the machine has been added to the security group like this:
aws ec2 modify-instance-attribute --instance-id THE_MACHINE_S_INSTANCE_ID --groups LIST_OF_GROUPS --profile security
They’re added by Ansible to new servers using the AWS key pair security_access_key / security_secret_key
which are in the group_vars/vault file.
Security Group | Description | Ports | Details |
|---|
Notes | | CHF-Access-Web | CHF internal web access | 80, 443 | See list of internal addresses [[here]] | Includes Offsite access addresses for Jonathan |
Admin |
|---|
Management-Access
| worldwide ssh access |
22 | All machines MUST have this group to allow ssh access. Currently allows worldwide ssh access, we're using keys to lock things down.Aspace prod and staging, port 22 | Allows SSH access by developers to the ArchivesSpace server. | admin
|
Public-Access-Web
| Public web access |
80, 443 | Open worldwide, to be applied to public web facing servers. App servers only. | Temp-Development | short term dev firewall rules | ?? | Please use this for short term access, rules in here may be cleared offPlease use this for short term access, rules in here may be cleared offAspace prod and staging, ports 80 and 443 | Allows public web access to the production and staging ArchivesSpace servers. | admin |
Temp-Production
| short term production firewall rules |
?? | Aspace prod, port 8983 | Used to allow developers and export code to access the ASpace API. | admin |
Temp-Staging
| short term staging firewall rules |
?? | Please use this for short term access, rules in here may be cleared off | Andrew, for rebranding, has access. | | internal-networking-production | Access between production machines | 8080, 8983, 6379, 5432, 19999 | All Samvera machines must be members of this group so they can communicate to share REST data, port 8080 is Fedora, 8983 is Solr, 6379 is Redis, 5432 is Postgres, 19999 is netdata for monitoring. | Do not mix production and staging boxes, this divide avoids security group rule tests from impacting production. The only box on both is monitor to watch both groups. |
internal-networking-staging | Access between staging machines | 8080, 8983, 6379, 5432, 19999 | All Samvera machines must be members of this group so they can communicate to share REST data, port 8080 is Fedora, 8983 is Solr, 6379 is Redis, 5432 is Postgres, 19999 is netdata for monitoring. | Do not mix production and staging boxes, this divide avoids security group rule tests from impacting production. The only box on both is monitor to watch both groupsAspace staging, port 8983 | See Temp-Production. | admin |
In addition there is a default security group that appears unused, but cannot be deleted.
When a machine has multiple security groups, as long as any one of the groups allows access the connection will work through the firewall. Anything not covered will be rejected however.
...