Examples
We illustrate the use of the Amazon EC2 firewall in the following two examples. Note that we use the
command line tools throughout the examples. The same results can be achieved using the SOAP API.
Default Group
1. Albert launches a copy of his favourite public AMI
$ ec2-run-instances ami-eca54085
RESERVATION 01927768 598916040194
INSTANCE cfd732a6 ami-eca54085 pending
2. After a little wait for image launch to complete, Albert, who is a cautious type, checks the access
rules of the default group
$ ec2-describe-group default
GROUP 598916040194 default default group
PERMISSION default ALLOWS all FROM USER
598916040194 GRPNAME default
and notices that it only accepts ingress network connections from other members of the default group
for all protocols and ports.
3. Albert, being paranoid as well as cautious, port scans his instance
$ nmap -P0 -p1-100 domU-12-31-33-00-01-56.usma1.compute.amazonaws.com
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-08-07 15:42
SAST
All 100 scanned ports on domU-12-31-33-00-01-56.usma1.compute.amazonaws.com
(216.182.228.116) are: filtered
Nmap finished: 1 IP address (1 host up) scanned in 31.008 seconds
4. Albert decides he should be able to SSH into his instance, but only from his own machine
$ ec2-authorize default -P tcp -p 22 -s 192.168.1.130/32
GROUP default
PERMISSION default ALLOWS tcp 22 22 FROM
CIDR 192.168.1.130/32
5. Repeating the port scan
$ nmap -P0 -p1-100 domU-12-31-33-00-01-56.usma1.compute.amazonaws.com
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-08-07 15:43
SAST
Interesting ports on domU-12-31-33-00-01-56.usma1.compute.amazonaws.com
(216.182.228.116):
(The 99 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE
22/tcp open ssh
Nmap finished: 1 IP address (1 host up) scanned in 32.705 seconds
Albert is happy (or at least less paranoid).
Three Tier Web Service
Mary wishes to deploy her public, fault tolerant, three tier web service in Amazon EC2. Her grand plan
is to have her web tier start off executing in seven instances of ami-fba54092, her application tier
executing in twenty instances of ami-e3a5408a, and her multi-master database in two instances of
Amazon EC2
Developer Guide
16
ami-f1a54098. She's concerned that nasty people might gain access to her subscriber database, so she
wants to restrict network access to her middle and back tier machines. When the traffic to her site
increases over the holiday shopping period, she adds additional instances to her web and application
tiers to handle the extra load.
1. First she creates a group for her Apache web server instances and allows HTTP access to the world
$ ec2-add-group apache -d "Mary's Apache group"
GROUP apache Mary's Apache group
$ ec2-describe-group apache
GROUP 598916040194 apache Mary's Apache group
$ ec2-authorize apache -P tcp -p 80 -s 0.0.0.0/0
GROUP apache
PERMISSION apache ALLOWS tcp 80 80 FROM
CIDR 0.0.0.0/0
$ ec2-describe-group apache
GROUP 598916040194 apache Mary's Apache group
PERMISSION 598916040194 apache ALLOWS tcp 80 80
FROM CIDR 0.0.0.0/0
She then launches seven instances of her web server AMI as members of this group
$ ec2run ami-fba54092 -n 7 -g apache
RESERVATION 01927768 598916040194
INSTANCE cfd732a6 ami-fba54092 pending
...
$ ec2din cfd732a6
RESERVATION 0592776c 598916040194
INSTANCE cfd732a6 ami-fba54092 domU-
12-31-33-00-04-16.usma1.compute.amazonaws.com running
...
Having studied at the same school of paranoia as Albert, Mary does a port scan to confirm the
permissions she just configured
$ nmap -P0 -p1-100 domU-12-31-33-00-04-16.usma1.compute.amazonaws.com
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-08-07 16:21
SAST
Interesting ports on domU-12-31-33-00-04-16.usma1.compute.amazonaws.com
(216.182.231.20):
(The 99 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE
80/tcp open http
Nmap finished: 1 IP address (1 host up) scanned in 33.409 seconds
And then she tests to make sure her web server is contactable
$ telnet domU-12-31-33-00-04-16.usma1.compute.amazonaws.com 80
Trying 216.182.231.20...
Connected to domU-12-31-33-00-04-16.usma1.compute.amazonaws.com
(216.182.231.20).
Escape character is '^]'.
Excellent!
2. She now creates a separate group for her application server
$ ec2-add-group appserver -d "Mary's app server"
GROUP appserver Mary's app server
Amazon EC2
Developer Guide
17
Previous Page Next Page