Opening an Amazon EC2 security group for ArcGIS Server
Amazon provides security groups that allow you to specify who can connect to your EC2 instances. When you build a site using ArcGIS Server Cloud Builder on Amazon Web Services, a security group is created for you, and HTTP access is granted. However, if you intend to work with your EC2 instances using Remote Desktop Connection or SSH, you must add rules allowing those types of connections.
If you are building a site and Cloud Builder detects that you have a security group named arcgis-<site name>, it will apply that security group instead of creating a new one. This behavior means that you can potentially create and configure a security group as described below before you build a site.
If you are building your site manually using the AWS Management Console, you must create a security group yourself and add Remote Desktop and SSH rules. Additionally, you must add an HTTP access rule in order for users to access your web services. Finally, you need to allow all instances in your security group to access each other. This entire process is described below.
- Sign in to the AWS Management Console and display the page for the EC2 region hosting your site.
- On the left menu, click Security Groups.
- Check the check box next to the security group you want to modify, then click the Inbound tab to examine the list of allowed connections.
- If you are using a Windows instance, use the drop-down lists and text boxes to add RDP as an allowed connection. This opens port 3389. You'll also need to supply a range of IP addresses that are allowed to make this connection, using Classless Inter-Domain Routing (CIDR) notation. For example, 0.0.0.0/0 allows everyone to connect (not recommended for security purposes), whereas 92.23.32.51/32 allows one specific IP address to connect.
Click Add Rule to add this allowed connection.
- If you are using a Linux instance, use the drop-down lists and text boxes to create a new Custom TCP rule allowing access to port 22 from an approved IP address or range of IPs. This allows you to interact with your instance through SSH.
Click Add Rule to add this allowed connection.
Note:If you built your site using ArcGIS Server Cloud Builder on Amazon Web Services, the next three rules were added automatically. You can click Apply Rule Changes and exit this topic.
- Add a Custom TCP rule with port 6080 as an allowed connection. Optionally, specify a range of IP addresses that are allowed to make this connection, then click Add Rule.
- If you'll be using an encrypted connection, add a Custom TCP rule with port 6443 as an allowed connection. Optionally, specify a range of IP addresses that are allowed to make this connection, then click Add Rule.
- Add a rule to allow all EC2 instances within your group full access to each other. To do this, choose All ICMP. Then, in the Source text box, type the Group ID of the security group that you are currently editing (for example sg-xxxxxxxx) and click Add Rule.
If you don't know the ID of your security group, you can switch back to the Details tab to see it, but be aware that this will erase the other rules you've set if you have not yet clicked Apply Rule Changes.
- If you have not yet done so, click Apply Rule Changes. Your rule changes take effect immediately.
See Common security group configurations to learn more about these security rules and when to adjust them.