This document details best practices to configure Security Groups in AWS for Xpand. Using the default Security Group Firewall Settings provided by Amazon can get customers up and running quickly, but these settings do not provide the best database network security. Before you put critical data into your Xpand or use it in production, Xpand strongly recommends that you understand and implement the network security guidelines described here.

Designing an AWS Security Group for maximum security will minimize risk with the following strategies:

Configure a Locked Down Security Group 

Ports Required for Xpand

Use a VPC

The security group configuration described in this page will secure your cluster whether it is deployed in EC2 or a VPC. However, there are some important security differences between EC2 and VPC to consider:

For the security reasons above, we strongly recommend deploying Xpand in a VPC.

Deploy within a Security Group

AWS EC2 Security Groups support securing these ports so they can only be accessed by members of the Security Group used by your Xpand nodes. If you have successfully formed a Xpand cluster in AWS you already have rules that refer to these ports in your Security Group, although they may not be restricted only to Security Group members.  

If you desire access to these ports for administrative or testing purposes, you can log into any of the database nodes with SSH first, then run commands that require access to any of these ports from there.

To secure these ports, simply replace your current Security Group rules that refer to the ports listed above with new rules that list the Security Group ID instead of a network range. The example below shows the steps to replace open rules for TCP port 2048 with self-referencing rules. Perform the same steps for each of the ports listed to complete the secure intra-node configuration.

In order to completely set up your security group, you will need to gather the following information: 

To learn how to create and manage your security groups in either EC2 or VPC, visit the documentation for Amazon EC2 Security Groups for Linux Instances

Secure back-end TCP and UDP Ports for intra-node communication

Xpand nodes use a series of ports for node-to-node communication. We call them the back-end ports as they only need to be opened between each node of the cluster. Back-end communication can be isolated to a dedicated network subnet, although not required. 

Back-end ports are listed above. For all nodes in the cluster, these ports need to be allowed access from all the other cluster nodes. Since the security group is dedicated to the nodes of the cluster, we can allow access to all resources assigned to that security group. This is described as a self-referencing rule: for group A, allow access to port X when source is group A. This allows for a much simpler security group configuration. 

Secure front-end TCP ports for Application and Administrative Access

There are 3 TCP network ports that are used to access your Xpand from your database application and for day-to-day administration: 

In a typical secure configuration, you will limit access to TCP Ports 80 and 22 to the network CIDR range that maps to the public IPs for your administrative clients (typically exposed through your firewall), and you will limit access to TCP Port 3306 to your administrative client CIDR range and also to the range of IPs used by your application servers (if they are outside your firewall).

Secure Xpand Intra-Node TCP and UDP Ports

This example will walk you through security one of the ports used for Xpand intra-node communication, namely TCP port 2048. Securing the other ports used for intra-node communication is done in a similar fashion.

For this example, assume that the Security Group rules used for your Xpand AWS instances look similar to the following before modifying them for a secure configuration. Note that in this example, all of the required ports are open to all networks.The goal of this step is to limit this access. 

Step 1 - Identify the Security Group 

Find the Security Group ID of the Security Group being used by your Xpand instances. In the EC2 Management Console, navigate to NETWORK & SECURITY -> Security Groups, and select the Security Group from the list. You will find the Security Group ID on the Details tab, as shown below.

Step 2 - Create a custom TCP Rule

Select the Inbound tab to view the Security Group rules, and delete the current rule referring to TCP port 2048 by clicking the Delete Action. The Action will now change to Undelete as shown below.


     

Step 3 - Specify a self-referencing rule

Be sure Custom TCP rule is selected for "Create a new rule:", and specify the new self-referencing rule by specifying the Security Group ID for the Source, and 2048 for the port range. Then add it by clicking Add Rule as shown below.

 

Step 4 - Apply Rule Changes

Your rule changes will now be reflected as in the highlighted rows below. Finally, click Apply Rule Changes to update the Security Group.


The Security Group Inbound rules will now look like the following.


If you have running EC2 instances that use the update Security Group, the changes will typically be applied to them within a few moments. There can be a momentary loss of connectivity between running instances when Security Group rules are changed, which may be noticeable within XpandGUI. 

Step 5 - Create more Custom Rules

Once you have completed the rule changes for TCP port 2048, continue to make the changes similarly for TCP ports 22, 80, 2424 and 24378 and for UDP ports 24378. Once you have made the changes for all of the intra-node communication ports, your Security Group rules will look similar to the following, with your Security Group ID substituted for the one in the example.

Limit Xpand Application and Administrative Access

There are 3 TCP network ports that are used to access your Xpand from your database application and for day-to-day administration: 80, 22, and 3306.

TCP Port 80 is used to access the XpandGUI Administration UI.

TCP Port 22 is used to access the command line for advanced management and configuration tasks.

TCP Port 3306 is used to access the Xpand using the MySQL protocol, typically from your front-end application and by your Database Administrators for development and management purposes.

In a typical secure configuration, you will limit access to TCP Ports 80 and 22 to the network CIDR range that maps to the public IPs for your administrative clients (typically exposed through your firewall), and you will limit access to TCP Port 3306 to your administrative client CIDR range and also to the range of IPs used by your application servers (if they are outside your firewall).

Limit External Access to Your Administrative Clients and Application Servers

This example will walk you through locking down one of the ports used for administrative and application access, namely TCP port 3306, the MySQL protocol port. Locking down the other ports used for administrative access is done in a similar fashion. We chose port 3306 for the example to demonstrate locking down ports to both administrative clients and application servers. For the other ports, you will typically only need to lock down access to your administrative clients.

Assume that the Security Group rules used for your Xpand AWS instances look similar to what was configured in the last example. Notice that all of the ports required for external access are open to all networks.

For this example, assume that your administrative clients are NAT'd to a single public IP defined by 66.211.103.164/32, and that your application servers all reside on a single public network defined by 99.114.137.0/27. You will substitute the appropriate network ranges for your administrative clients and application servers. Using the procedures described in the previous example, we will replace the rule for TCP port 3306 with 2 new rules to expose the Xpand nodes only to clients on the two specified networks.

Step 1 Delete default configuration

Select the Inbound tab to view the Security Group rules, and delete the current rule referring to TCP port 3306 by clicking the Delete Action. The Action will now change to Undelete as shown below.

Step 2 Create a new MySQL Rule

Be sure MySQL is selected for "Create a new rule:", and specify the new rule by specifying the first network range for the Source, and 3306 for the port range. Then add it by clicking Add Rule as shown below.

Your TCP rules will now look like the following.

Step 3 Configure additional network ranges for MySQL

Be sure MySQL is selected for "Create a new rule:", and specify the new rule by specifying the second network range for the Source, and 3306 for the port range. Then add it by clicking Add Rule, after which your rules will look like the following. 

Step 4 - Apply Rule Changes

Finally, click Apply Rule Changes to commit the new rules into the Security Group.

Step 5 - Review Final Security Group Configuration

In the previous section, ports 80, and 22 have already been opened to the Security Group. Now we need to add rules for HTTP and SSH with the CIDR range for your administrative clients, in this example assumed to be 66.211.103.164/32. When you are done, you will have Security Group rules that look similar to the following, with the changed rules highlighted.

 


Now that you have created your security group, you can continue with Xpand AWS Installation Guide.  

Questions? Please see Xpand support offerings.