This post tries to address an approach to replicating corporate-style DMZ configurations using Amazon EC2 components.
Conventional (non-cloud) Network configuration for hosting internet facing applications
Most internet applications are deployed on servers placed in secured demilitarized zones.
A DMZ's main function is to restrict the extent of an attack should systems be compromized.
Typically, there would be a main firewall that allows traffic from the internet only to web servers on a particular port. Subsequent to that there could possibly be firewalls that isolate application servers, database and reporting servers etc.
An example of this configuration is shown below. It consists of a Web DMZ hosting only web servers accessible from the internet via port 80. The application servers are placed after the second firewall and cannot receive traffic from any other source other than the web servers. The traffic is only restricted to port 8009 and only in one direction. The database servers are behind the third firewall and can only receive traffic from the application servers on port 3128.
For monitoring and management, all machines in the network have been allowed access on port 22 from machines internal to the company.
Cloud Network configuration for hosting internet facing applications
The first thing to realize is that a Security Group is quite similiar to a firewall configuration specifying the allowed protocol (tcp/udp), port/port range, traffic direction and source network. The only real difference is that Security Groups currently only support the ALLOW sematics (not the DENY), but this is quite sufficient as we shall see.
Once a Security Group is created, it can be associated to a server instance. In reality, the Security Group/s have to be specified for an instance before it can be instantiated.
They say that a picture is worth a thousand words, but I don't think that includes code.
The following depicts the configuration of Amazon's EC2 Security Groups to replicate the above DMZ configurations.
The simplest approach to achieve this is as follows:
Conventional (non-cloud) Network configuration for hosting internet facing applications
Most internet applications are deployed on servers placed in secured demilitarized zones.
A DMZ's main function is to restrict the extent of an attack should systems be compromized.
Typically, there would be a main firewall that allows traffic from the internet only to web servers on a particular port. Subsequent to that there could possibly be firewalls that isolate application servers, database and reporting servers etc.
An example of this configuration is shown below. It consists of a Web DMZ hosting only web servers accessible from the internet via port 80. The application servers are placed after the second firewall and cannot receive traffic from any other source other than the web servers. The traffic is only restricted to port 8009 and only in one direction. The database servers are behind the third firewall and can only receive traffic from the application servers on port 3128.
For monitoring and management, all machines in the network have been allowed access on port 22 from machines internal to the company.
Cloud Network configuration for hosting internet facing applications
The first thing to realize is that a Security Group is quite similiar to a firewall configuration specifying the allowed protocol (tcp/udp), port/port range, traffic direction and source network. The only real difference is that Security Groups currently only support the ALLOW sematics (not the DENY), but this is quite sufficient as we shall see.
Once a Security Group is created, it can be associated to a server instance. In reality, the Security Group/s have to be specified for an instance before it can be instantiated.
They say that a picture is worth a thousand words, but I don't think that includes code.
The following depicts the configuration of Amazon's EC2 Security Groups to replicate the above DMZ configurations.
The simplest approach to achieve this is as follows:
- Map each DMZ to a Security Group
- Create the Security Groups in EC2 using the ec2-add-group API
- Authorize access (port, port-range, direction, source group/CIDR) using the ec2-authorize API
- Create instances using these security groups
Example: Web DMZ, App DMZ and DB DMZ
//create groups / zones
ec2-add-group web-dmz -d "Web DMZ"
ec2-add-group app-dmz -d "Application DMZ"
ec2-add-group db-dmz -d "Database DMZ"
//Allow admin access to all the servers
ec2-authorize web-dmz -P tcp -p 22 -s 0.0.0.0/0
ec2-authorize app-dmz -P tcp -p 22 -s 0.0.0.0/0
ec2-authorize db-dmz -P tcp -p 22 -s 0.0.0.0/0
//Allow access to the site from anywhere on the internet
ec2-authorize web-dmz -P tcp -p 80 -s 0.0.0.0/0
//Allow access from Web DMZ to Application DMZ on port 8009 only
ec2-authorize app-dmz -o web-dmz -u xxxxxxxxxxxx -P tcp -p 8009
//Allow access from Application DMZ to Database DMZ on port 3128 only
ec2-authorize db-dmz -o app-dmz -u xxxxxxxxxxxx -P tcp -p 3128
//Create instances and assign them to DMZs
ec2-run-instances ami-cef405a7 -z us-east-1d -t t1.micro -g web-dmz
ec2-run-instances ami-cef405a7 -z us-east-1d -t t1.micro -g app-dmz
ec2-run-instances ami-cef405a7 -z us-east-1d -t t1.micro -g db-dmz
Post a Comment