ami-f1a54098. She's concerned that nasty people might gain access to her subscriber database, so she
wants to restrict network access to her middle and back tier machines. When the traffic to her site
increases over the holiday shopping period, she adds additional instances to her web and application
tiers to handle the extra load.
1. First she creates a group for her Apache web server instances and allows HTTP access to the world
$ ec2-add-group apache -d "Mary's Apache group"
GROUP apache Mary's Apache group
$ ec2-describe-group apache
GROUP 598916040194 apache Mary's Apache group
$ ec2-authorize apache -P tcp -p 80 -s 0.0.0.0/0
GROUP apache
PERMISSION apache ALLOWS tcp 80 80 FROM
CIDR 0.0.0.0/0
$ ec2-describe-group apache
GROUP 598916040194 apache Mary's Apache group
PERMISSION 598916040194 apache ALLOWS tcp 80 80
FROM CIDR 0.0.0.0/0
She then launches seven instances of her web server AMI as members of this group
$ ec2run ami-fba54092 -n 7 -g apache
RESERVATION 01927768 598916040194
INSTANCE cfd732a6 ami-fba54092 pending
...
$ ec2din cfd732a6
RESERVATION 0592776c 598916040194
INSTANCE cfd732a6 ami-fba54092 domU-
12-31-33-00-04-16.usma1.compute.amazonaws.com running
...
Having studied at the same school of paranoia as Albert, Mary does a port scan to confirm the
permissions she just configured
$ nmap -P0 -p1-100 domU-12-31-33-00-04-16.usma1.compute.amazonaws.com
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-08-07 16:21
SAST
Interesting ports on domU-12-31-33-00-04-16.usma1.compute.amazonaws.com
(216.182.231.20):
(The 99 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE
80/tcp open http
Nmap finished: 1 IP address (1 host up) scanned in 33.409 seconds
And then she tests to make sure her web server is contactable
$ telnet domU-12-31-33-00-04-16.usma1.compute.amazonaws.com 80
Trying 216.182.231.20...
Connected to domU-12-31-33-00-04-16.usma1.compute.amazonaws.com
(216.182.231.20).
Escape character is '^]'.
Excellent!
2. She now creates a separate group for her application server
$ ec2-add-group appserver -d "Mary's app server"
GROUP appserver Mary's app server
Amazon EC2
Developer Guide
17
then starts twenty instances as members of this group
$ ec2run ami-e3a5408a -n 20 -g appserver
and grants network access between her web server group and the application server group
$ ec2-authorize appserver -o apache -u 598916040194
GROUP appserver
PERMISSION appserver ALLOWS all FROM USER
598916040194 GRPNAME apache
She checks to ensure access to her app server is indeed restricted by port scanning one of the app
servers
$ nmap -P0 -p1-100 domU-12-31-33-00-03-D1.usma1.compute.amazonaws.com
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-08-07 15:42
SAST
All 100 scanned ports on domU-12-31-33-00-03-D1.usma1.compute.amazonaws.com
(216.182.228.12) are: filtered
Nmap finished: 1 IP address (1 host up) scanned in 31.008 seconds
3. To confirm that her web servers have access to her application servers she needs to do a little extra
work...
a. She (temporarily) grants SSH access from her workstation to the web server group
$ ec2-authorize apache -P tcp -p 22 -s 192.168.1.130/32
b. She logs in to one of her web servers and connects to an application server on TCP port 8080
$ telnet domU-12-31-33-00-03-D1.usma1.compute.amazonaws.com 8080
Trying 216.182.228.12...
Connected to domU-12-31-33-00-03-D1 .usma1.compute.amazonaws.com
(216.182.228.12).
Escape character is '^]'
c. Satisfied with the setup, she revokes SSH access to the web server group
$ ec2-revoke apache -P tcp -p 22 -s 192.168.1.130/32
Creating the group for database servers and granting access to them from the application server group is
left as an exercise for the reader ;-)
Amazon EC2
Developer Guide
18
Previous Page Next Page