By default the ingress and egress settings are made to allow all traffic. Some organizations find their compliance requires them to tune ingress settings to only allow certain ports and block all other traffic. This guide will cover exactly how to do this.
Assumptions:
This guide assumes the reader has set up their AWS integration and has deployed servers to a cluster.
Cycle and AWS VPC's
AWS limits VPC's to single regions. After connecting the AWS account to the hub and deploying a server, the platform will create its own, new VPC in that region. When deploying to multiple regions, multiple VPC's are created on the AWS side - this is an AWS pattern not a Cycle specific pattern.
This guide also covers setting these rules at the VPC default security group layer as it's the most practical way to constrain these settings across the VPC without creating a mess.
Configuration Settings
Once the AWS integration has been added and some servers are online in the region to be worked in, the VPC security group can be altered.
From the AWS Console, navigate to the VPC resource page and then select the region from the list. On this page the Cycle VPC will be named with the pattern:
Cycle VPC (HubID)
# exampleCycle VPC (45abbb8936badc5088b31234)Please note the VPC ID and then select the Security Groups option from the main, left-hand navigation (listed under the Security grouping).
From the list of security groups select the security group that matches the ID from the Cycle VPC.
Scroll down the next page to where Inbound rules and Outbound rules shows on the horizontal navigation.
Select Inbound rules if its not selected by default and click on Edit inbound rules.
The following is an example of a viable configuration. Technically, everything marked optional is.... optional. However it would be strongly suggested to open some ingress for http/https connections if there is a plan to run publicly available workloads in this VPC / region.
Protocol | Port range | Source | Description |
|---|---|---|---|
TCP | 2177 | choose the security group your editing | Node to Node Compute Mesh |
UDP | 4789 | choose the security group your editing | vxlan |
All | All | choose the security group your editing | VPC Traffic |
TCP | 80 | 0.0.0.0/0 | HTTP Ingress - optional |
TCP | 80 | ::/0 | HTTP Ingress - optional |
TCP | 443 | 0.0.0.0/0 | HTTPS Ingress - optional |
TCP | 443 | ::/0 | HTTPS Ingress - optional |
TCP | 1194 | 0.0.0.0/0 | Environment VPN Connection - optional |
TCP | 1194 | ::/0 | Environment VPN Connection - optional |
TCP | 8812 | 0.0.0.0/0 | VPN File Download - optional |
TCP | 8812 | ::/0 | VPN File Download - optional |
TCP | 2222 | 0.0.0.0/0 | SSH - optional |
TCP | 2222 | ::/0 | SSH - optional |
TCP | 2022 | 0.0.0.0/0 | SFTP - optional |
TCP | 2022 | ::/0 | SFTP - optional |
If there are services that listen on port 8080, externally, add an entry for this port to the list and so on.