The first step is to configure your security groups.

I did not do this the first time around and I ended up with a bunch of groups that were not clear and concise. Setting these up first will help organize the flow of access through the setup.

I organize my AWS security groups into buckets to control the flow of access between services.

  • Public access to the Load Balancer
  • Internal access to all services
  • Load Balancer (ALB) to EC2
  • Private personal access to all services (my personal IP, and anyone else on my team that needs full access)

Security Groups

Public Access: This security group is useful because I want to create an “entry point” into my cluster. But I really only want them to be able to access the load balancer directly and never anything inside my VPC such as EC2, Redis, or RDS, etc.

This group will accept all IPv4 and IPv6 traffic from anywhere. I also enable it for port 443 (SSL) just in case, even though I’m using Cloudflare for SSL termination. I do not see any security concern about having it enabled.

Internal access to all services: This security group could probably be more refined, but I didn’t see any security threats by allowing access between all services within my VPC. This also helps prevent any accidental blocks between say, EC2 talking to Redis, or EC2 to RDS, etc.

Load Balancer to EC2: This security group is useful because I only want the Load Balancer to access EC2. Since this is the entry point for public traffic, they will never need to go from the Load Balancer to Redis, or any other backend service. They only need to access EC2, which is the webserver.

Private access: This security group is useful to allow unfiltered access to services for a specific ip address or group of IPs. Whether it’s mine or anyone else that needs to access something within the VPC, I want a way to easily whitelist someone and not have to go edit any of the instances manually. This group will be applied to all services.

The Security Group I setup for public access, is what I assign strictly to the load balancer only. That way, no public traffic will be able to access the EC2 instances directly.