Elastic Load Balancing
Developer Guide (API Version 2012-06-01)
AWS Documentation » Elastic Load Balancing Documentation » Developer Guide » Using Elastic Load Balancing » Deploy Elastic Load Balancing in Amazon EC2-Classic » Manage Security Groups in Amazon EC2-Classic
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.Did this page help you?  Yes | No |  Tell us about it...

Manage Security Groups in Amazon EC2-Classic

A security group acts as a firewall that controls the traffic allowed into a group of instances. When you launch an Amazon EC2 instance, you can assign it to one or more security groups. For each seucurity group, you can add rules that govern the allowed inbound traffic to instances in the group. All other inbound traffic is discarded. You can modify rules for a security group at any time. The new rules are automatically enforced for all existing and future instances in the group. For information on Amazon EC2 security groups, go to Using Security Groups.

Elastic Load Balancing provides a special Amazon EC2 source security group that you can use to ensure that a back-end Amazon EC2 instance receives traffic only from Elastic Load Balancing. This feature involves two security groups—the source security group and a security group that defines the ingress rules for your back-end instance. To lock down traffic between your load balancer and your back-end instances, add or modify a rule to your back-end security group that limits ingress traffic so that it can come only from the Amazon EC2 source security group provided by the Elastic load Balancing.

Locking down traffic between Elastic Load Balancing and back-end Amazon EC2 instance

Topics

In this section, we will walk you through the process for locking down the traffic between your load balancer and your back-end Amazon EC2 instances.

Before you continue, be sure you’ve read Security Group Concepts section in the Amazon EC2 User Guide.

The following table outlines the steps for locking down the traffic between your load balancer and the back-end instances. This will be followed by instructions for locking down traffic between your load balancer and your back-end instances using the AWS Management Console, the command line interface (CLI), or the Query API.

If you are planning on using the command line interface (CLI), be sure that you've installed the Amazon EC2 command line interface tool. For information on downloading and installing the tool, go to Setting Up the Amazon EC2 Command Line Tools section in the Amazon EC2 User Guide.

Steps for locking down the traffic between your load balancer and your back-end instance

1

Get the name of the source security group provided by Elastic Load Balancing for your load balancer.

2

Add a new rule in the security group associated with your Amazon EC2 back-end instances to allow inbound traffic from your load balancer.

3

Verify that the new rule has been added.

4

[optional] Remove the rules in your back-end instance's security group that are less restrictive.


Using the AWS Management Console

  1. To get the name of the source security group provided by Elastic Load Balancing for your load balancer,

    1. On the Amazon EC2 Getting Started page, in the EC2 Dashboard pane, under NETWORK & SECURITY, click Load Balancers.

    2. On the Load Balancers page, select your load balancer.

    3. The bottom pane displays the details of your load balancer.

    4. Click the Security tab.

    5. Copy the name displayed in the Source Security Group row. This is the source security group provided by Elastic Load Balancing for your load balancer.

      ELB Source Security Group

  2. To add a rule in the security group of your Amazon EC2 back-end instances to allow incoming traffic from the Elastic Load Balancing source security group,

    1. On the Load Balancers page, click Instances in the Navigation pane.

    2. On the My Instances page, select an instance registered with your load balancer.

    3. The bottom pane displays details of your instance. Make sure that the Description tab is selected.

    4. Make a note of the name of the security group displayed in the Security Groups: field. This is the security group associated with your back-end instance.

    5. Click Security Groups in the Navigation pane.

    6. On the Security Groups page, select the security group associated with your back-end instance.

    7. The bottom pane displays details of the security group.

    8. Click the Inbound tab. The right pane of the Inbound tab displays the rules that belong to the security group.

    9. In the Port range: field, specify the port or port range for accessing your Amazon EC2 instances.

    10. In the Source: field, type the source security group name of your load balancer. This should be the same name you used in step 1. In our example it’s amazon-elb/amazon-elb-sg.

    11. Click Add Rule and then click Apply Rule Changes.

  3. The right-side pane of the Inbound tab displays the new rule. Verify that the new rule is added to the security group of your back-end instance.

    EC2 Security Group

  4. [optional] If your security group has rules that are less restrictive than the rule you added in step 2, remove the less restrictive rule by clicking Delete in the row that has the less restrictive rule.

    Note

    If you want to connect directly to your back-end instances, do not delete inbound rules that allow you to do so. For example, you might have rules that allow inbound traffic on ports 22 (SSH) and 3389 (RDP).

Using the command line interface (CLI)

  1. To get the name of the source security group provided by Elastic Load Balancing for your load balancer,

    Enter the elb-describe-lbs command. You must include the --show-long parameter to display the source security group name. For information on using additional parameters with this command, go to Elastic Load Balancing Quick Reference Card.

    The following example returns a description of the MyLoadBalancer load balancer.

    elb-describe-lbs MyLoadBalancer --show-long --headers

    The following is an example response. 

    LOAD_BALANCER,NAME,DNS_NAME,CANONICAL_HOSTED_ZONE_NAME,CANONICAL_HOSTED_ZONE_NAME_ID,
HEALTH_CHECK,AVAILABILITY_ZONES,SUBNETS,VPC_ID,INSTANCE_ID,LISTENER_DESCRIPTIONS,
BACKEND_SERVER_DESCRIPTIONS,OTHER_POLICIES,SOURCE_SECURITY_GROUP,SECURITY_GROUPS,CREATED_TIME,SCHEME
LOAD_BALANCER,MyLoadBalancer,MyLoadBalancer-91948427.us-east-1.elb.amazonaws.com
,MyLoadBalancer-91948427.us-east-1.elb.amazonaws.com,Z3DZXE0Q79N41H,"{interval=6
,target=HTTP:80/,timeout=5,healthy-threshold=2,unhealthy-threshold=2}",us-east-1
e,(nil),(nil),"i-f5ab7988, i-fbab7986","{protocol=HTTP,lb-port=80,instance-proto
col=HTTP,instance-port=80,policies=},{protocol=HTTPS,lb-port=443,instance-protoc
ol=HTTP,instance-port=80,cert-id=arn:aws:iam::803981987763:server-certificate/sc
ert,policies=AWSConsole-SSLNegotiationPolicy-MyLoadBalancer}",(nil),AWSConsole-S
SLNegotiationPolicy-MyLoadBalancer,"{owner-alias=example-elb,group-name=example-elb-sg}"
,(nil),2012-09-28T17:57:27.580Z,internet-facing

    The response element includes a source security group data structure composed of an owner-alias and group-name. This is the source security group associated with your load balancer. Make a note of the owner-alias and group-name. You’ll use it in the next step.

  2. To add a rule in the security group of your Amazon EC2 back-end instances to allow incoming traffic from the Elastic Load Balancing source security group,

    You will be using the Amazon EC2 CLI commands for this step.

    1. [optional] If you do not know the name of the security group of your back-end instances, enter the ec2-describe-group command as in the following example.

      ec2-describe-group --headers

      The response element includes the details of all the security groups in your account. Make a note of the security group name associated with the back-end instance that you want to modify.

    2. Enter the ec2-authorize command to add a rule to the security group associated with your back-end instance.

      In the following example, ec2-authorize limits incoming traffic for all back-end instances that belong to a security group named MyTestSecurityGroup.

      ec2-authorize MyTestSecurityGroup -u amazon-elb -o amazon-elb-sg

      For specifying additional parameters for ports and protocols, go to ec2-authorize in the Amazon EC2 CLI Reference.

  3. To verify that the security group associated with your back-end instance has the new rule that allows incoming traffic from the Elastic Load Balancing source security group,

    Enter ec2-describe-group command as in the following example:

    ec2-describe-group MyTestSecurityGroup  --headers

    The following is the example response that lists the newly added rule:

    GROUP   Id      Owner   Name    Description
GROUP   sg-9cd8a3f4     000011112222    MyTestSecurityGroup  This is an example   
PERMISSION      000011112222    MyTestSecurityGroup     ALLOWS  tcp     0       0
FROM    USER    amazon-elb      NAME amazon-elb-sg      ID sg-843f59ed  ingress
PERMISSION      000011112222    MyTestSecurityGroup     ALLOWS  tcp     3389    3389
FROM    USER    amazon-elb      NAME amazon-elb-sg      ID sg-843f59ed  ingress
PERMISSION      000011112222    MyTestSecurityGroup     ALLOWS  tcp     22      22
FROM    CIDR    0.0.0.0/0       ingress
PERMISSION      000011112222    MyTestSecurityGroup     ALLOWS  tcp     80      80
FROM    CIDR    0.0.0.0/0       ingress

  4. [optional] If your security group has rules that are less restrictive than the rule you added in the previous step, use the ec2-revoke command to remove the less restrictive rules. For example, an existing rule might allow ingress traffic from the CIDR range 0.0.0.0/0 (all IPv4 addresses).

    The following example uses ec2-revoke to remove a rule that allows HTTP traffic from all IPv4 addresses from a security group named MyTestSecurityGroup. 

    ec2-revoke MyTestSecurityGroup -p 80 -s 0.0.0.0/0

    Note

    If you want to connect directly to your back-end instances, do not revoke ingress rules that allow you to do so. For example, you might have rules that allow ingress traffic on ports 22 (SSH) and 3389 (RDP).

Using the Query API

  1. To get the name of the source security group provided by Elastic Load Balancing for your load balancer,

    1. Call the DescribeLoadBalancers action with the following parameter:

      • LoadBalanacerNames = MyLoadBalancer

      The response should include the details of your load balancer. The information you get should be similar to the following example: 

      <DescribeLoadBalancersResponse xmlns="http://elasticloadbalancing.amazonaws.com/doc/2012-06-01/">
  <DescribeLoadBalancersResult>
    <LoadBalancerDescriptions>
      <member>
        <SecurityGroups/>
        <LoadBalancerName>MyLoadBalancer</LoadBalancerName>
        <CreatedTime>2012-09-28T17:57:27.580Z</CreatedTime>
        <HealthCheck>
          <Interval>6</Interval>
          <Target>HTTP:80/</Target>
          <HealthyThreshold>2</HealthyThreshold>
          <Timeout>5</Timeout>
          <UnhealthyThreshold>2</UnhealthyThreshold>
        </HealthCheck>
        <ListenerDescriptions>
          <member>
            <PolicyNames/>
            <Listener>
              <Protocol>HTTP</Protocol>
              <LoadBalancerPort>80</LoadBalancerPort>
              <InstanceProtocol>HTTP</InstanceProtocol>
              <InstancePort>80</InstancePort>
            </Listener>
          </member>
          <member>
            <PolicyNames>
              <member>AWSConsole-SSLNegotiationPolicy-MyLoadBalancer</member>
            </PolicyNames>
            <Listener>
              <Protocol>HTTPS</Protocol>
              <LoadBalancerPort>443</LoadBalancerPort>
              <InstanceProtocol>HTTP</InstanceProtocol>
              <SSLCertificateId>arn:aws:iam::000011112222:server-certificate/scert</SSLCertificateId>
              <InstancePort>80</InstancePort>
            </Listener>
          </member>
        </ListenerDescriptions>
        <Instances>
          <member>
            <InstanceId>i-f5ab7988</InstanceId>
          </member>
          <member>
            <InstanceId>i-fbab7986</InstanceId>
          </member>
        </Instances>
        <Policies>
          <AppCookieStickinessPolicies/>
          <OtherPolicies>
            <member>AWSConsole-SSLNegotiationPolicy-MyLoadBalancer</member>
          </OtherPolicies>
          <LBCookieStickinessPolicies/>
        </Policies>
        <AvailabilityZones>
          <member>us-east-1e</member>
        </AvailabilityZones>
        <CanonicalHostedZoneName>MyLoadBalancer-91948427.us-east-1.elb.amazonaws
.com</CanonicalHostedZoneName>
        <CanonicalHostedZoneNameID>Z3DZXE0Q79N41H</CanonicalHostedZoneNameID>
        <Scheme>internet-facing</Scheme>
        <SourceSecurityGroup>
          <OwnerAlias>amazon-elb</OwnerAlias>
          <GroupName>amazon-elb-sg</GroupName>
        </SourceSecurityGroup>
        <DNSName>MyLoadBalancer-91948427.us-east-1.elb.amazonaws.com</DNSName>
        <BackendServerDescriptions/>
        <Subnets/>
      </member>
    </LoadBalancerDescriptions>
  </DescribeLoadBalancersResult>
  <ResponseMetadata>
    <RequestId>0d7f1256-0b10-11e2-b66c-d3e9bEXAMPLE</RequestId>
  </ResponseMetadata>
</DescribeLoadBalancersResponse>

    2. The response element includes a SourceSecurityGroup data structure composed of an OwnerAlias and GroupName. This is the security group provided by Elastic Load Balancing for your load balancer. Make a note of the details in the SourceSecurityGroup data structure. You’ll use it in the next step.

  2. To add a rule in the security group of your Amazon EC2 back-end instances to allow incoming traffic from the Elastic Load Balancing source security group,

    1. [optional] If you do not know the name of the security group of your back-end instances, call the DescribeSecurityGroup action to find out the name of the security group associated with your back-end instance.

      The response includes the details of all the security groups in your account. Make a note of the security group name associated with the back-end instance that you want to modify.

    2. Call the AuthorizeSecurityGroupIngress action with the following parameters :

      • GroupName = MyTestSecurityGroup

      • IpPermissions.1.Groups.1.UserId = amazon-elb

      • IpPermissions.1.Groups.1.GroupName = amazon-elb-sg

      For information on specifying additional parameters for the ports and protocols, go to AuthorizeSecurityGroupIngress in the Amazon EC2 API Reference.

  3. Verify that the security group associated with your back-end instance has the new rule that allows incoming traffic from the Elastic Load Balancing source security group.

    Call DescribeSecurityGroups with the following parameters:

    • GroupName = MyTestSecurityGroup

    The response should include the details of the security group including the newly added rule. The information you get should be similar to the following example: 

    <DescribeSecurityGroupsResponse xmlns="http://ec2.amazonaws.com/doc/2012-03-01/">
  <requestId>a8a2955f-61db-4e5e-b138-e2be7EXAMPLE</requestId>
      <securityGroupInfo>
        <item>
          <ownerId>000011112222</ownerId>
          <groupId>sg-9cd8a3f4</groupId>
          <groupName>MyTestSecurityGroup </groupName>
          <groupDescription>This is an example </groupDescription>
          <ipPermissions>
            <item>
              <ipProtocol>tcp</ipProtocol>
              <fromPort>0</fromPort>
              <toPort>0</toPort>
              <groups>
                <item>
                  <userId>amazon-elb</userId>
                  <groupId>sg-843f59ed</groupId>
                  <groupName>amazon-elb-sg</groupName>
                </item>
              </groups>
              <ipRanges/>
            </item>
            <item>
              <ipProtocol>tcp</ipProtocol>
              <fromPort>3389</fromPort>
              <toPort>3389</toPort>
              <groups>
                <item>
                  <userId>amazon-elb</userId>
                  <groupId>sg-843f59ed</groupId>
                  <groupName>amazon-elb-sg</groupName>
                </item>
              </groups>
              <ipRanges/>
            </item>
            <item>
              <ipProtocol>tcp</ipProtocol>
              <fromPort>22</fromPort>
              <toPort>22</toPort>
              <groups/>
              <ipRanges>
                <item>
                  <cidrIp>0.0.0.0/0</cidrIp>
                </item>
              </ipRanges>
            </item>
            <item>
              <ipProtocol>tcp</ipProtocol>
              <fromPort>80</fromPort>
              <toPort>80</toPort>
              <groups/>
              <ipRanges>
                <item>
                  <cidrIp>0.0.0.0/0</cidrIp>
                </item>
              </ipRanges>
            </item>            
      </securityGroupInfo>
    </DescribeSecurityGroupsResponse>

  4. [optional] If your security group has rules that are less restrictive than the rule you added in the previous step, use the RevokeSecurityGroupIngress action to remove the less restrictive rules. For example, an existing rule might allow ingress traffic from the CIDR range 0.0.0.0/0 (all IPv4 addresses).

    The following example calls the RevokeSecurityGroupIngress action with the following parameters to remove a rule that allows HTTP traffic from all IPv4 addresses from a security group named MyTestSecurityGroup.

    • GroupName = MyTestSecurityGroup

    • IpPermissions.1.FromPort = 80

    • IpPermissions.1.IpRanges.1.CidrIp = 0.0.0.0/0

    Note

    If you want to connect directly to your back-end instances, do not revoke ingress rules that allow you to do so. For example, you might have rules that allow ingress traffic on ports 22 (SSH) and 3389 (RDP).

Document Conventions« PreviousNext »
Terms of UseDid this page help you?  Yes | No |  Tell us about it...