Configuring AWS Security Groups when using New Edge

AWS Security Groups

Posted on

Service Publishing is an essential capability provided by New Edge. Service Publishing makes enterprise applications and services running in your AWS environment available to your users in a secure manner. A key technology component of New Edge’s Secure Application Network is the New Edge Publisher.

The New Edge Publisher is a pre-packaged software component that is used to connect your private applications to New Edge without requiring you to expose those applications (or the underlying computing resources) to the Internet. A publisher can be deployed in your AWS VPC in a matter of minutes.

Following is a description of AWS security policies that we recommend you apply to your Publisher and the private resources you want to make available through New Edge.

Create Security Group for Publisher

Publisher requirements

New Edge Publishers require the following:

  • Network access to the services you want to publish
  • Network access to your internal DNS (provided by AWS) – your publisher needs be able to query your internal DNS to find your services
  • An outbound connection to the New Edge Cloud over TLS port 443

Note: Publishers do not require inbound network access. This is one of the primary security advantages of New Edge over remote-access VPNs, proxy servers, or bastion hosts. However, providing temporary inbound SSH access to your publisher can be useful in PoC scenarios to aid in troubleshooting.

AWS Console

  1. Sign in to your Amazon Web Services (AWS) console.
  2. Navigate to the EC2 Dashboard
  3. Click Security Groups in the left sidebar menu.

Security group configuration

  1. Click Create Security Group
  2. Enter “newedge-pub-prod-sg” in the Security group name field (optional).
  3. Enter a description in the Description field (optional).
  4. Select the VPC where your services are deployed.
  5. Click the Outbound tab, under “Security group rules”.
  6. Change Type of the first rule to DNS (UDP). Leave destination unchanged.
  7. Click Add Rule.
  8. Change Type of the second rule to HTTPS.
  9. Change Destination of the second rule to Anywhere.
  10. Click Add Rule.
  11. Set Type, Protocol, and Port for the third rule based on the resources you want to publish. For example, if you want to publish a web application on port 8080, choose Custom TCP rule, TCP, port 8080.
  12. Set Destination to Custom and enter the “Security Group ID” of service’s security group.
  13. Click Create

Update Security Group for Service

Update your existing security groups to allow access from your New Edge Publisher to the services you plan to publish.

  1. Click Instances in the left sidebar menu.
  2. Select the EC2 instance which hosts the service you plan to publish.
  3. Click Description tab.
  4. Click the link to the instance’s security group.
  5. Click the Inbound tab.
  6. Click Edit.
  7. Click Add Rule.
  8. Set Type, Protocol, and Port for the rule based on the service you want to publish. For example, if you want to publish a web application on port 8080, choose Custom TCP rule, TCP, port 8080.
  9. Set Source to Custom and enter the name of the New Edge publisher security group which you created before – e.g. “newedge-pub-prod-sg”.
  10. Click Save.

Summary

This article describes how to create a new security group for your New Edge publisher. This security group configuration will allow the publisher to reach required services, like DNS and the New Edge Cloud, and the services you plan to publish. The article also described how to update your existing EC2 security groups so that your publisher can reach your private applications.

If you’re just getting started with New Edge, check out our Getting Started Guide. It provides steps for deploying a publisher in your AWS environment.

Try New Edge Free for 30 Days

New Edge is the best way to provide secure access to both cloud and datacenter services. Contact us, to learn more about how we can help secure your critical application infrastructure.

Leave a Reply

Your email address will not be published. Required fields are marked *