I have several Amazon EC2 instances running Ubuntu 10.04 and I've recently started using Amazon's Route 53 as my DNS. The purpose of doing that was to allow the instances to refer to each other by name rather than private IP (which can change). I've pointed my domain name (via GoDaddy) to Amazon's name servers, allowing me to access my EC2 webservers.
However, I noticed I can now access the EC2 instances which I don't want to be public, such as the dedicated MySQL Server. I was thinking Amazon's Security Groups would still be in effect when using Route 53, but that doesn't seem to be the case.
Before I started using Route 53, I was thinking of having one instance run a reverse proxy, which would help protect the web servers behind it. Then IP-restrict all the other instances.
I know IP restricting can be done using the firewall within each instance, but should I ever need to access them from another IP address, I'd need a way in. Amazon's control panel made it a breeze to open a port when necessary.
Does anyone have any suggestions for keeping EC2 instances secure, but also accessible to their administrator?
Also, what's the best topology for a group of EC2 instances, consisting of web servers and a dedicated database server, from a security perspective? Does having a reverse proxy server even make sense?
A couple of things that might help.
I have a fairly small system and pull all my servers into a default security group so they can access each other. I also add a hostgroup security group to each server which might be where I allow port 80 in or something like that. And sometimes if it's an odd server it'll have a host security group as well so I can allow things specifically for that server. Some of my servers look like this.
db01 => default, database test01 => default, qa, test01 fe01 => default, frontend
I use cnames for all my servers. Handles the external and internal names fine. Internally on AWS the name resolves to the internal IP, externally it's the public IP. I assume they are doing views on their name servers.
db01 CNAME ec2-222-111-222-111.us-west-1.compute.amazonaws.com
In any case servers can access each other by the CNAMEs I've created and it's consistent.
I'd skip the reverse proxy unless it speeds up your application.
Have you considered using Amazon's VPC offering? If you don't need public internet access to your instances, it's a tidy solution, bypassing the need for security groups or per-instance firewalls.
Your wording "the EC2 instances which I don't want to be public" implies this may not be the case, though, which would mean that you would be stuck with your public instances (if there are any) reaching in through your datacenter and back out the VPC pipe to get to what they need (but this would be controlled via exposed ports on your datacenter router). This may still be ok depending on the nature of your app.
Edit: This also gives you the benefit of being able to use static private IPs inside your VPC, organized into subnets no less!