Thursday, May 16, 2013

Amazon EC2 Multi Region Setup and Migrations -> Security groups


Security Groups are like firewall rules that you configure to restrict access to assets deployed in Amazon Web Services infrastructure. Security groups can exist only within a scope of an Amazon EC2 region (Example security groups configured in AWS US-EAST region is not available on AWS APAC region). For Multi region region setups/migrations in AWS , one common best practice is to export security groups  from primary region and configure the same in target AWS region as well. 

Point 1) You can use the following command to export a copy of the definitions of existing security groups; this will ease the migration effort:

ec2-describe-group –H -–region <Source Region Name>  > security_groups.txt

Point 2) Alternatively you can use the following script to import the security groups in the Target AWS region. This script does not work when you have VPC security group. This script uses the command “ec2-describe-group” to query the existing security groups in a region and creates a shell script, which can be used to re-create in a different region.
Instructions:


  • Download the script from the following location: http://ry4an.org/unblog/static/attachments/ec2-security-group-tools.tar.gz
  • Set the environment variables which are necessary to run the “ec2-describe-group” command. i.e., AWS_SECRET_KEY and AWS_ACCESS_KEY
  • In the file “create-firewall-script.pl” set the AWS region and AWS Account Number. The AWS region name should be set as the region from which you needed to import the security groups. E.g., if you need to import from us-east-1 to us-west-2. The create-firewall-script.pl should be updated with the region as  us-west-2
  • Use the following command to run the script, this will generate a shell script. The shell script contains the security groups details and the commands which are needed to create security group. Type the following ec2-describe-group | ./create-firewall-script.pl > create-firewall.sh 
  • Just use the command “sh create-firewall.sh ” to run the shell script. This will create the security groups in the target region.
  • By using the below command, you can generate security groups details  as an image. Type the following command :                                      ec2-describe-group | ./visualize-security-groups.pl > groups.png

Point 3) Use centralized governance tools like Dome9, cloudaware etc to manage the security groups , changes and management efficiently

It is recommended implement one or more above points proactively for Multi region setups in AWS for improving the Recovery Time Objectives (RTO) during DR.


No comments:

Need Consulting help ?

Name

Email *

Message *

DISCLAIMER
All posts, comments, views expressed in this blog are my own and does not represent the positions or views of my past, present or future employers. The intention of this blog is to share my experience and views. Content is subject to change without any notice. While I would do my best to quote the original author or copyright owners wherever I reference them, if you find any of the content / images violating copyright, please let me know and I will act upon it immediately. Lastly, I encourage you to share the content of this blog in general with other online communities for non-commercial and educational purposes.

Followers