Search code examples
amazon-web-servicesamazon-ec2

AWS EC2 security group https vs tcp vs ssh

I am confused about configuring the EC2 security group settings.

There are three options (TCP, SSH, HTTPS) and each of them requires you to add an IP/port number.

For context, in my work I'm usually running Flask apps over EC2 and I only want particular people to view them. My question is understanding the difference between TCP, SSH, and HTTPs but more importantly which of these are important for me to configure.

Solution

  • Within the EC2 Console, under Security Groups:

    • SSH and HTTPS in the Type dropdown, are presets which set the port to 22 and 443 respectively.

    • TCP is the protocol. Both SSH and HTTPS are TCP.

    If you're running a server which you want to expose on a non standard port, you can select Custom TCP Rule, then set the port acordingly.

    You should probably have one security group that allows SSH traffic, then assign this security group to the EC2 instances you wish to shell into:

    enter image description here

    Then have a separate security group that allows the webserver traffic, in this case I also have one for port 80, aswell as 443:

    enter image description here

    Of course you will then need a server running on that EC2 instance to receive the traffic. This might be a reverse proxy like nginx, which then proxies traffic to the correct port for your app server (run your flask app with something like gunicorn in production).

    If nginx and gunicorn are running on the same box, and say gunicorn serves on port 8000, then you wouldn't need a security group for this as it's loopback traffic. Your nginx configuration points to port 8000.

    However if you have a separate EC2 instance running gunicorn, you might wish to set up a secuirty group for this to allow internal traffic from your VPC CIDR range:

    enter image description here

    I only want particular people to view them

    This is probably a job for authentication on the app, as oppose to security groups, unless you're certain of the public IPs from which you wish people to connect.

    In the above examples above a Source of 0.0.0.0/0 is allowing traffic from anywhere to reach that port. The console has a convenient dropdown which lets you set My IP if you only want to allow traffic from the IP you're using to connect to the console. Otherwise you'd need to manually calculate the CIDR blocks.

    Hope this helps. It probably raises more questions.