Amazon provides security groups that allow you to specify who can connect to your EC2 instances. When you build a site using ArcGIS Server Cloud Builder on Amazon Web Services or a CloudFormation template provided by Esri , a security group is created for you, and HTTP access is granted. However, if you intend to work with your EC2 instances using Remote Desktop Connection or SSH, you must add rules allowing those types of connections.
If you are building a site and Cloud Builder detects that you have a security group named arcgis-<site name>, Cloud Builder applies that security group instead of creating a new one. This behavior means that you can potentially create and configure a security group as described below before you build a site.
If you are building your site manually using the Amazon Web Services (AWS) Management Console, you must create a security group yourself and add Remote Desktop and SSH rules. Additionally, you must add an HTTP access rule for users to access your web services. Finally, you need to allow all instances in your security group to access each other. This process is described in the following steps.
- Sign in to the AWS Management Console and display the page for the EC2 region hosting your site.
- On the left pane, click Security Groups.
- Click the box next to the security group you want to modify, and click the Inbound tab to examine the list of allowed connections.
- Click Edit to alter the list of inbound connections allowed.
The Edit inbound rules dialog box opens.
- Click Add Rule.
A new line is added to the bottom of the inbound rules.
- If you are using a Windows instance, use the drop-down lists and text boxes to add RDP as an allowed connection. This opens port 3389. You'll also need to supply a range of IP addresses that are allowed to make this connection, using Classless Inter-Domain Routing (CIDR) notation. For example, 0.0.0.0/0 allows everyone to connect (not recommended for security reasons), whereas 184.108.40.206/32 allows one specific IP address to connect.
- If you are using a Linux instance, use the drop-down lists and text boxes to create a new Custom TCP rule allowing access to port 22 from an approved IP address or range of IPs. This allows you to interact with your instance through SSH.
- Click Add Rule, and add a Custom TCP rule with port 6080 as an allowed connection. Optionally, specify a range of IP addresses that are allowed to make this connection.
- If you'll be using an encrypted connection, click Add Rule and add a Custom TCP rule with port 6443 as an allowed connection. Optionally, specify a range of IP addresses that are allowed to make this connection.
- Click Add Rule and add a rule to allow all EC2 instances within your group full access to each other. To do this, choose All ICMP. Then, in the Source text box, type the Group ID of the security group that you are currently editing (for example, sg-xxxxxxxx).
If you don't know the ID of your security group, you can switch back to the Details tab to see it, but be aware that this will erase the other rules you've set if you have not yet clicked Save.
- If you have not yet done so, click Save. Your rule changes take effect immediately.
If you built your site using ArcGIS Server Cloud Builder on Amazon Web Services or an Esri-provided CloudFormation templates, the next three rules were added automatically. You can click Apply Rule Changes, and do not need to proceed with the remaining steps.
See Common security group configurations to learn more about these security rules and when to adjust them.