Notes on security groups (EC2 firewall)

In the quick start guide I asked you to skip EC2 configuration details. If you didn’t follow my word and messed up “Step 6: Configure Security Group”, you might have trouble ssh to your EC2 instance. (Mis-configured security group should be the most common reason why you cannot ssh to your server. For other possible situations, see troubleshooting EC2 connection.)

In Step 6, a new “security group” will be created by default, with the name “launch-wizard-x”:

../_images/choose_security_group.png

“Security group” controls what IPs are allowed to access your server. As you already see in the warning message above, the current setting is to allow any IP to connect (the IP number “0.0.0.0/0” stands for all IPs, equivalent to selecting “Anywhere” in the “Source” option above), but only for SSH type of connection (recall that “22” is the port number for SSH). This is generally fine, as you also need to have the EC2 Key Pair in order to access that server. You can further set “Source” to “My IP”, to add one more layer of security (which means your friend won’t be able to access your server even if they have your EC2 key pair).

However, if you messed it up, say selected the “default” security group:

../_images/default_security_group.png

In this case, what’s under the “Source” option is the ID of the default security group itself. This means NO external IPs are allowed to connect to that server, so you won’t be able to ssh to it from your own computer.

If you’ve already messed it up and launched the EC2 instance, right-click on your EC2 instance in the console, choose “Networking” - “Change Security Groups” to assign a more permissive security group.

../_images/change_security_group.png

You can view existing security groups in the “Security Groups” page in the EC2 console:

../_images/security_group_console.png

If you’ve launched multiple EC2 instances following the exact steps in the quick start guide and always skipped “Step 6: Configure Security Group”, you would see multiple security groups named “launch-wizard-1”, “launch-wizard-2”… They are created automatically each time you launch new EC2 instances. They have exactly the same settings (allow SSH connection from all IPs), so you only need to keep one (delete others) and just choose that one in “Step 6: Configure Security Group” during EC2 instance launching. You can also modify an existing security group by right clicking on it and choose “Edit inbound rules”.

That’s all you need to know about security groups. Unlike local HPC clusters that can force strict security control, cloud platforms are exposed to the entire world and thus need complicated security settings to deal with different situations. Say, do you plan to access the server only from you own computer, or want to open the access to your group members, or even open to a broader public? This complexity can be a bit confusing for beginners.