The traffic between the instances is governed by the ingress (inbound) and egress (outbound) rules defined in the security groups. Listed here are recommended security groups and their inbound and outbound rules. Please refer to Chapter 2, How Are Cloud Applications Different?, for how to create security groups.
ELB Security Group Recommended Rules: Apply this security group to the ELB.
- Inbound:
Source (CIDR) |
Protocol |
Port Range |
Comments |
0.0.0.0/0 |
TCP |
8080 |
Accept HTTP traffic from anywhere. |
0.0.0.0/0 |
TCP |
8443 |
Accept HTTPS traffic from anywhere. |
- Outbound:
Destination (CIDR) |
Protocol |
Port Range |
Comments |
ID of Web security group |
TCP |
8080 |
Route HTTP traffic to instances that have a web security group assigned. |
ID of Web security group |
TCP |
8443 |
Route HTTPS traffic to instances that have a web security group assigned. |
Recommended Rules for the Web Security Group: Apply this security group to EC2 instances running on public networks in both the Availability Zones. This security group is for the web servers.
- Inbound:
Source (CIDR) |
Protocol |
Port Range |
Comments |
ID of ELB security group |
TCP |
8080 |
Accept HTTP traffic from the load balancer. |
ID of ELB security group |
TCP |
8443 |
Accept HTTPS traffic from the load balancer. |
ID of Bastion security group |
TCP |
22 |
Allow SSH traffic from the bastion network. |
- Outbound:
Destination (CIDR) |
Protocol |
Port Range |
Comments |
ID of Database security group |
TCP |
3306 |
Allow MYSQL access to the database servers assigned to the database security group. |
Recommended Rules for the Bastion Security Group: Apply this security group to EC2 instances running on the bastion network.
- Inbound:
Source (CIDR) |
Protocol |
Port Range |
Comments |
MyIP |
TCP |
22 |
Accept SSH connection for your fixed static IP. This implies you can connect to the bastion sever from only the IP address. If you do not have a static IP, change the source to 0.0.0.0/0. |
- Outbound:
Destination (CIDR) |
Protocol |
Port Range |
Comments |
ID of Database security group |
TCP |
3306 |
Allow MYSQL access to the database servers to administer the MYSQL database. |
ID of Web security group |
TCP |
22 |
Allow SSH access to the web server instances for administration running on the public network. |
Recommended Rules for the Database Security Group: Apply this security group to EC2 instances running on the private network in both the availability zones. This security group is for the database servers:
- Inbound:
Source (CIDR) |
Protocol |
Port Range |
Comments |
ID of Web security group |
TCP |
3306 |
Accept MYSQL connections from the web application running on the public network. |
ID of Bastion security group |
TCP |
3306 |
Allow MYSQL access to the database servers to administer the MYSQL database. |
- Outbound:
Destination (CIDR) |
Protocol |
Port Range |
Comments |
None |
None |
None |
Delete all outbound rules. |