Tightening AWS security group created for VPC Router?
16 views
Skip to first unread message
Ben West
Oct 9, 2015, 2:10:21 PM10/9/15
to scalr-discuss
I noticed these inbound rules on the scalr.vpc-router security group which Scalr creates for VPC Router instances deployed in AWS:
This looks like the actual code which creates the security group:
https://github.com/Scalr/scalr/blob/66bd5c221bd661aa15d536d2899c0f304192aa3b/app/src/Scalr/UI/Controller/Tools/Aws/Vpc.php#L298
Are these hard-coded inbound rules that open ports 80, 443, and 8008-8013 entirely to the outside intended for situations where a Scalr server sits in the private subnet behind the VPC Router? Otherwise, these rules appear to be unnecessarily permissive.
I changed the rules for those ports to only allow traffic from the external IP of my Scalr server's endpoint host, and things worked fine. I.e., could launch and terminate machines in the private subnet w/o apparent issue.
Is it possible to customize the security group created for VPC Routers in the Scalr, rather than doing so afterwards in AWS?
Type | Protocol | Port Range | Source | |
|---|---|---|---|---|
All TCP | TCP | 0 - 65535 | <VPC CIDR> | |
Custom TCP Rule | TCP | 8008 - 8013 | ||
All UDP | UDP | 0 - 65535 | <VPC CIDR> | |
HTTPS | TCP | 443 | ||
HTTP | TCP | 80 | ||
This looks like the actual code which creates the security group:
https://github.com/Scalr/scalr/blob/66bd5c221bd661aa15d536d2899c0f304192aa3b/app/src/Scalr/UI/Controller/Tools/Aws/Vpc.php#L298
Are these hard-coded inbound rules that open ports 80, 443, and 8008-8013 entirely to the outside intended for situations where a Scalr server sits in the private subnet behind the VPC Router? Otherwise, these rules appear to be unnecessarily permissive.
I changed the rules for those ports to only allow traffic from the external IP of my Scalr server's endpoint host, and things worked fine. I.e., could launch and terminate machines in the private subnet w/o apparent issue.
Is it possible to customize the security group created for VPC Routers in the Scalr, rather than doing so afterwards in AWS?
Igor Savchenko
Oct 13, 2015, 6:09:15 PM10/13/15
to scalr-discuss
Unfortunately, right now, you can customize group only when it's already created (You can do this via SG manager in Scalr). In future we will improve VPC router experience and make rules configurable before SG creation.
Regards,
Igor
Reply all
Reply to author
Forward
0 new messages