brooklyn-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Richard Downer <>
Subject AWS self-referencing security groups
Date Tue, 17 Mar 2015 11:26:31 GMT

AWS has a feature where a security group can include a rule that
allows a security group ID, instead of allowing an IP address. Any
instance which is a member of the security group matches the rule and
its traffic is permitted according to the rule.

A very useful thing you can do with this is add the security group's
*own* ID to itself and set it to allow all TCP/UDP/ICMP packets. Then,
all instances that are a member of this security group have
unrestricted access to each other, a bit like a private subnet.
However external access is still firewalled off unless IP-based rules
are also added to the security group as usual.

Is there any way we can take advantage of this pattern in Brooklyn? So
that all of the entities inside an application have unrestricted
access to each other but external access is still regulated?

Looking at jclouds, it's possible to pass a security group in the
EC2TemplateOptions, but this then disables jclouds' processing of
inboundPorts. So it's an all-or-nothing approach: either jclouds
manages the security group for us, or it does nothing and it's up to
the app to fully manage the security group, so we'd end up duplicating
code that opens the inbound ports.

Any other thoughts?


View raw message