Enterprise geodatabase instance security

Access to the enterprise geodatabase (EGDB) instance is controlled by the Amazon security group settings. For security reasons, it is recommended that you use separate security groups for your EGDB and ArcGIS Server instances. The EGDB security group must have port 5432 open to allow connections to the PostgreSQL database. The ArcGIS Server security group must also be given permission to access the EGDB instance through that port. See Common security group configurations for information on security group settings.

A rule has been added to the Windows firewall inbound rules to allow other machines to make TCP/IP connections to the EGDB PostgreSQL database cluster on port 5432. If you want to use a different port number or add another EGDB PostgreSQL database cluster, you must alter this inbound rule to allow TCP/IP connections on a different port.

Access to the PostgreSQL database cluster can also be controlled by altering settings in the pg_hba.conf file located in the PGDATA directory. Specify which machines you want to allow access to the PostgreSQL database cluster in pg_hba.conf. By default, the EGDB AMI pg_hba.conf file is set up to allow any user from any machine to connect to the PostgreSQL database cluster. Although the Amazon security group and Windows firewall provide the control to block rogue connection requests, you can alter the pg_hba.conf file to further secure access to your PostgreSQL database cluster. See http://www.postgresql.org/docs/8.3/static/auth-pg-hba-conf.html for more information on how to configure the pg_hba.conf file.

Tip:

To allow the ping application to find the EGDB instance, the Windows firewall ICMP Echo Replies inbound rule has been enabled. You can disable it to prevent the ping application from finding an EGDB instance without affecting enterprise geodatabase access.