Common security group configurations
An Amazon Elastic Compute Cloud (EC2) instance can only allow network traffic from sources and ports defined in its security group. When you use Amazon EC2, you need to set up some security groups that correspond to the types of things you'll be doing with your EC2 instances. This topic describes some common security groups you can configure for different ArcGIS Server deployments.
By default, a security group is completely locked down. You add rules to a security group specifying the type of traffic allowed, the ports it will be allowed through, and the computers from which communication will be accepted. The ports you decide to open and the type of traffic you need to allow depend on what you are doing with the instance.
The following are suggestions of security group names and rules that you can configure. Allowed ports and protocols may vary based on your organization's IT policies. The suggestions below use the most common port numbers. If your organization has an IT specialist, consider consulting with him or her to devise the best security strategy for your EC2 instances.
ArcGIS Server Development
Consider creating a security group specifically for EC2 instances that are being used for development and testing purposes. This type of group could allow the following access:
- Remote Desktop Protocol (RDP) access through port 3389 for your IP address or a range of approved IP addresses within your organization. This allows you to administer your EC2 instance through Windows Remote Desktop. You must use Classless Inter-Domain Routing (CIDR) notation to specify a range of IP addresses (or one IP address) that can make connections. For example, 0.0.0.0/0 allows everyone to connect, whereas 92.23.32.51/32 allows one specific IP address to connect. Check with your system administrator if you need help obtaining the external-facing IP address of your local machine.
- HTTP access through port 80 for everyone.
- Access from other machines in this group. This will allow you to share files and make connections between your own machines. You can add a rule permitting this type of access by choosing the All ICMP rule type, entering your security Group ID (for example sg-xxxxxxxx) in the Source box, and clicking Add Rule. When you take this approach, the machines in your group can communicate with each other through all ports and protocols.
ArcGIS Server Production
Once you've developed and tested your application and are ready to move it to a production tier, it's a good idea to disable remote desktop access. If a problem occurs and you need to log in to the machine, you can temporarily change the security group configuration to allow yourself access. An ArcGIS Server Production group could allow the following access:
- HTTP access through port 80 for everyone
- Access from other machines in this group
ArcGIS Server Production Secure
If you want to require encrypted communication with your machine, you can use a rule to allow traffic on port 443 (typically used for SSL). The access would be as follows:
- HTTPS access through port 443 for everyone
- Access from other machines in this group
Enterprise Geodatabase
You can configure a security group specifically for your enterprise geodatabase EC2 instances that allows the following:
- RDP access through port 3389 for your IP address or a range of approved IP addresses within your organization. You need to remotely connect to your machine at least once to change the PostgreSQL default passwords. After this, you can remove remote desktop access from the security group if you want.
- Access from machines in your ArcGIS Server security group. This allows your ArcGIS Server cloud machines to view your cloud-based geodatabase. If machines not participating in your security groups need to connect to your geodatabase, you need to explicitly open port 5432, which allows communication with PostgreSQL.
Commonly used ports
Following are some of the most common ports you may work with as you create security groups. Some of these ports you may not need to explicitly open; rather, you may just decide to give machines within your security group full access to each other. If you want to allow access from machines not participating in your security groups (for example, your desktop workstation in your office), you need to open specific port numbers.
Port | Common purpose |
|---|---|
80 | HTTP access to IIS Web server |
443 | HTTPS access to IIS Web server |
445 | Windows file sharing |
1433 | Connections to Microsoft SQL Server |
3389 | Connections to Windows Remote Desktop |
5432 | Connections to PostgreSQL |