We illustrate the use of the Amazon EC2 firewall in the following two examples. Note that we use the command line tools throughout the examples. The same results can be achieved using the SOAP API.
Albert launches a copy of his favourite public AMI
$ ec2-run-instances ami-eca54085
RESERVATION r-01927768 598916040194
INSTANCE i-cfd732a6 ami-eca54085 pending
$ ec2-describe-group default
GROUP 598916040194 default default group
PERMISSION default ALLOWS all FROM USER 598916040194 GRPNAME defaultAlbert, being paranoid as well as cautious, port scans his instance
$ nmap -P0 -p1-100 domU-12-31-33-00-01-56.usma1.compute.amazonaws.com
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-08-07 15:42 SAST
All 100 scanned ports on domU-12-31-33-00-01-56.usma1.compute.amazonaws.com (216.182.228.116) are: filtered
Nmap finished: 1 IP address (1 host up) scanned in 31.008 seconds
$ ec2-authorize default -P tcp -p 22 -s 192.168.1.130/32
GROUP default
PERMISSION default ALLOWS tcp 22 22 FROM CIDR 192.168.1.130/32Repeating the port scan
$ nmap -P0 -p1-100 domU-12-31-33-00-01-56.usma1.compute.amazonaws.com
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-08-07 15:43 SAST
Interesting ports on domU-12-31-33-00-01-56.usma1.compute.amazonaws.com (216.182.228.116):
(The 99 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE
22/tcp open ssh
Nmap finished: 1 IP address (1 host up) scanned in 32.705 secondsAlbert is happy (or at least less paranoid).
Mary wishes to deploy her public, fault tolerant, three tier web service in Amazon EC2. Her grand plan is to have her web tier start off executing in seven instances of ami-fba54092, her application tier executing in twenty instances of ami-e3a5408a, and her multi-master database in two instances of ami-f1a54098. She's concerned that nasty people might gain access to her subscriber database, so she wants to restrict network access to her middle and back tier machines. When the traffic to her site increases over the holiday shopping period, she adds additional instances to her web and application tiers to handle the extra load.
First she creates a group for her Apache web server instances and allows HTTP access to the world
$ec2-add-group apache -d "Mary's Apache group" GROUP apache Mary's Apache group$ec2-describe-group apache GROUP 598916040194 apache Mary's Apache group$ec2-authorize apache -P tcp -p 80 -s 0.0.0.0/0 GROUP apache PERMISSION apache ALLOWS tcp 80 80 FROM CIDR 0.0.0.0/0$ec2-describe-group apache GROUP 598916040194 apache Mary's Apache group PERMISSION 598916040194 apache ALLOWS tcp 80 80 FROM CIDR 0.0.0.0/0
She then launches seven instances of her web server AMI as members of this group
$ec2run ami-fba54092 -n 7 -g apache RESERVATION r-01927768 598916040194 INSTANCE i-cfd732a6 ami-fba54092 pending ...$ec2din i-cfd732a6 RESERVATION r-0592776c 598916040194 INSTANCE i-cfd732a6 ami-fba54092 domU-12-31-33-00-04-16.usma1.compute.amazonaws.com running ...
Having studied at the same school of paranoia as Albert, Mary does a port scan to confirm the permissions she just configured
$ nmap -P0 -p1-100 domU-12-31-33-00-04-16.usma1.compute.amazonaws.com
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-08-07 16:21 SAST
Interesting ports on domU-12-31-33-00-04-16.usma1.compute.amazonaws.com (216.182.231.20):
(The 99 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE
80/tcp open http
Nmap finished: 1 IP address (1 host up) scanned in 33.409 seconds
And then she tests to make sure her web server is contactable
$ telnet domU-12-31-33-00-04-16.usma1.compute.amazonaws.com 80
Trying 216.182.231.20...
Connected to domU-12-31-33-00-04-16.usma1.compute.amazonaws.com (216.182.231.20).
Escape character is '^]'.
Excellent!
She now creates a separate group for her application server
$ ec2-add-group appserver -d "Mary's app server"
GROUP appserver Mary's app server
then starts twenty instances as members of this group
$ ec2run ami-e3a5408a -n 20 -g appserver
and grants network access between her web server group and the application server group
$ ec2-authorize appserver -o apache -u 598916040194
GROUP appserver
PERMISSION appserver ALLOWS all FROM USER 598916040194 GRPNAME apache
She checks to ensure access to her app server is indeed restricted by port scanning one of the app servers
$ nmap -P0 -p1-100 domU-12-31-33-00-03-D1.usma1.compute.amazonaws.com
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-08-07 15:42 SAST
All 100 scanned ports on domU-12-31-33-00-03-D1.usma1.compute.amazonaws.com (216.182.228.12) are: filtered
Nmap finished: 1 IP address (1 host up) scanned in 31.008 seconds
To confirm that her web servers have access to her application servers she needs to do a little extra work...
She (temporarily) grants SSH access from her workstation to the web server group
$ ec2-authorize apache -P tcp -p 22 -s 192.168.1.130/32
She logs in to one of her web servers and connects to an application server on TCP port 8080
$ telnet domU-12-31-33-00-03-D1.usma1.compute.amazonaws.com 8080
Trying 216.182.228.12...
Connected to domU-12-31-33-00-03-D1 .usma1.compute.amazonaws.com (216.182.228.12).
Escape character is '^]'
Satisfied with the setup, she revokes SSH access to the web server group
$ ec2-revoke apache -P tcp -p 22 -s 192.168.1.130/32
Creating the group for database servers and granting access to them from the application server group is left as an exercise for the reader ;-)