I want to set up security group for an ec2 instance(Linux). There are services running on it like mem cached, python, dhclient, nodejs etc. How do i know which IP/CIDR-block should my server be listening to on a particular port? Eg. if mysqld is running on port 3306, what should be the source CIDR/IP/SG and how to find it out? (inbound rules)
p.s. It is a vpc with various webservers, database-servers, CMS, Solr etc. I need to setup security groups for each of these. Specifically, I need to know what instance is talking to what other machines in the VPC. Presently security group setup is open for all. I need to secure it
Consider if you are running mysqld on database server, you simply need to open 3306 port in the database server's security group to the web server's security group. So all the web servers will have access to database servers.
If you want to adjust your security groups for a server then you need to do the following:
1. Get a scope of all your servers.
2. Inbound rules:
2.1 Specify security groups of your servers as source and a port that is using for a certain service (3306 for mysqld).
2.2 Specify your ip address that you will manage that server from with 22 port for ssh.
3. Outbound rules:
3.1 You can limit a number of ip addresses that your server will be allowed to connect to.
More infor available here: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Appendix_NACLs.html