An Amazon Elastic Compute Cloud (EC2) instance can only allow network traffic from sources and ports defined in its security group. When you use Amazon EC2, you need to set up some security groups that correspond to the types of things you'll be doing with your EC2 instances. This topic describes some common security groups you can configure for different ArcGIS Server deployments.
By default, a security group is completely locked down. You add rules to a security group specifying the type of traffic allowed, the ports it will be allowed through, and the computers from which communication will be accepted. The ports you decide to open and the type of traffic you need to allow depend on what you are doing with the instance.
The following are suggestions of security group names and rules that you can configure in the AWS Management Console. Allowed ports and protocols may vary based on your organization's IT policies. The suggestions below use the most common port numbers. If your organization has an IT specialist, consider consulting with him or her to devise the best security strategy for your EC2 instances.
Consider creating a security group specifically for EC2 instances that are being used for development and testing purposes. This type of group could allow the following access:
- RDP access through port 3389 for your IP address or a range of approved IP addresses within your organization (Windows only). This allows you to administer your EC2 instance through Windows Remote Desktop. You must use Classless Inter-Domain Routing (CIDR) notation to specify a range of IP addresses (or one IP address) that can make connections. For example, 0.0.0.0/0 allows everyone to connect, whereas 126.96.36.199/32 allows one specific IP address to connect. Check with your system administrator if you need help obtaining the external-facing IP address of your local machine.
- TCP access through port 22 for your IP address or a range of approved IP addresses within your organization (Linux only). Opening port 22 allows you to work with your Linux instances through SSH.
- TCP access through port 6080 for everyone (if not using an Elastic Load Balancer) or the Elastic Load Balancer's security group (if using an Elastic Load Balancer). Port 6080 is used for communication with ArcGIS Server. If you're not putting an Elastic Load Balancer in front of your site, then you need to open port 6080 to everyone who will use your ArcGIS Server web services. If you're using an Elastic Load Balancer, you need to open port 6080 to the Elastic Load Balancer's security group (which is discoverable through the AWS Management Console and is most likely a value such as amazon-elb/amazon-elb-sg).
- Access from other machines in this group. This is required in order for the GIS server machines to communicate with each other. It also facilitates file sharing. You can add a rule permitting this type of access by choosing the All ICMP rule type, entering your security Group ID (for example sg-xxxxxxxx) in the Source box, and clicking Add Rule. When you take this approach, the machines in your group can communicate with each other through all ports and protocols.
Once you've developed and tested your application and are ready to move it to a production tier, it's a good idea to disable remote desktop access. If a problem occurs and you need to log in to the machine, you can temporarily change the security group configuration to allow yourself access. An ArcGIS Server Production group could allow the following access:
- TCP access through port 6080 for everyone (if not using an Elastic Load Balancer) or the Elastic Load Balancer's security group (if using an Elastic Load Balancer)
- Access from other machines in this group
Secured production instances
If you want to require encrypted communication with your machine, you should configure an Elastic Load Balancer on your site that receives traffic through port 443, the port typically used for encrypted communication through SSL. Then configure the load balancer to forward traffic to port 6443. On your security group, open the ports described above for ArcGIS Server Production.
Security groups for enterprise geodatabases
If you choose to have enterprise geodatabases on a separate instance from your ArcGIS Server instance, You can configure a security group specifically for your enterprise geodatabase instance that allows the following:
- TCP access through port 22 (Linux) for your IP address or a range of approved IP addresses within your organization You need to remotely connect to your machine at least once to change the PostgreSQL default passwords. After that, you can remove this remote access rule from the security group if you want.
- RDP access through port 3389 (Windows) You can add this rule if you need to remotely connect to your Microsoft SQL Server or SQL Server Express instance—for example, to add users or additional geodatabases—then remove it when you finish.
- Access from machines in your ArcGIS Server security group This allows your instances running ArcGIS Server to access your enterprise geodatabase instance. If machines not participating in your security groups need to connect to your geodatabase, you need to explicitly open port 5432 to allow communication with PostgreSQL, or port 1433 to communicate with SQL Server.
Commonly used ports
Following are some of the most common ports you may work with as you create security groups. Some of these ports you may not need to explicitly open; rather, you may just decide to give machines within your security group full access to each other. If you want to allow access from machines not participating in your security groups (for example, your desktop workstation in your office), you need to open specific port numbers.
HTTP access to IIS web server or load balancer
HTTPS access to IIS web server or load balancer
Windows file sharing
Connections to Microsoft SQL Server
Connections to Windows Remote Desktop
Connections to PostgreSQL
HTTP access to ArcGIS Server
HTTPS access to ArcGIS Server
HTTPS access to Portal for ArcGIS
ArcGIS Data Store communication
Windows Firewall is enabled on any Windows instance that you launch using the Esri-provided AMIs. If you install a third-party application that requires ports other than those listed above, ensure that Windows Firewall is also configured to allow the port.