Security Groups

Subnets

name	CIDR	Type	Availability Zone
qa-subnet-public1-ap-southeast-1a	10.1.0.0/20	Public	ap-southeast-1a
qa-subnet-public1-ap-southeast-1b	10.1.16.0/20	Public	ap-southeast-1b
qa-subnet-private1-ap-southeast-1a	10.1.128.0/20	Private	ap-southeast-1a
qa-subnet-private1-ap-southeast-1b	10.1.144.0/20	Private	ap-southeast-1b

Security Groups

Security groups need to be created for each VPC. The following shows the security groups in a single subnet.

security group	allow port	source	remarks
ssh	22	0.0.0.0/0	Allow ssh into the instance from anywhere. Only to be used on bastion hosts or haproxy.
ssh	22	10.1.0.0/20, 10.1.16.0/20	Allow ssh from instances from the private subnet.
http	80	0.0.0.0/0	Allows http request from anywhere. Only to be used on haproxy (load balancer)
https	443	0.0.0.0/0	Allow https request from anywhere. Only to be used on haproxy (load balancer)
haproxy-stats	8443	0.0.0.0/0	Allow https request from anywhere. Only to be used on haproxy (load balancer)
jodgig.api	8000	10.1.0.0/20, 10.1.16.0/20	Allow private IP address from public subnets.
jodgig.frontend	3000	10.1.0.0/20, 10.1.16.0/20	Allow private IP address from public subnets.
jodpro.api	8010	10.1.0.0/20, 10.1.16.0/20	Allow private IP address from public subnets.
jodpro.frontend	3010	10.1.0.0/20, 10.1.16.0/20	Allow private IP address from public subnets.
jodpro.rds.private-subnet-1	3306	10.1.128.0/20	RDS will only allow all private IPs from private subnets only.
jodpro.rds.private-subnet-2	3306	10.1.144.0/20	RDS will only allow all private IPs from private subnets only.

Environment Specific Security Groups

In AWS Console, we will prepend the vpc name to the security group name to make life easier.

Example

There will be 3 security groups for a security group allowing ssh for 3 environments.

vpc	security group	vpc
qa-vpc	ssh	qa-vpc.ssh
demo-vpc	ssh	demo-vpc.ssh
prod-vpc	ssh	prod-vpx.ssh