Amazon provides security groups that allow you to specify who can connect to your Amazon Elastic Compute Cloud (EC2) instances. When you build a site using ArcGIS Enterprise on Amazon Web Services deployment tools, a security group is created for you, and HTTPS and HTTP access is granted. However, if you intend to work with your EC2 instances using a Remote Desktop Connection or SSH, you must add rules allowing those types of connections.
If you are building your site using the Amazon Web Services (AWS) Management Console, you must create a security group and add a Remote Desktop or SSH rule if you need to connect to the instances directly. Additionally, you must add HTTP and HTTPS access rules for users to access your web services and portal. Finally, you need to allow all instances in your security group to access each other.
These processes are summarized in the following steps:
- Sign in to your AWS account in the AWS Management Console and edit the inbound rules for your security group.
- If you use EC2 Linux instances, see Amazon Elastic Compute Cloud Security Groups for Linux Instances in the AWS documentation.
- If you use EC2 Microsoft Windows instances, see Amazon Elastic Compute Cloud Security Groups for Windows Instances in the AWS documentation.
- If you use an Amazon Virtual Private Cloud (VPC), see Security Groups for your VPC in the AWS documentation.
- If you want to connect directly to an Amazon instance, do one of the following:
- If you use Windows instances and want to make Remote Desktop Connections, add a rule allowing access to port 3389 from an approved IP address or range of IPs.
- If you use Linux instances and want to make SSH connections, add a rule allowing access to port 22 from an approved IP address or range of IPs.
- If you built your site using the AWS Management Console, you need to add these rules:
- If your instance includes an ArcGIS Enterprise portal, add a rule allowing connections through port 7443. Specify a range of IP addresses that are allowed to connect to the site through this port.
- If you have a stand-alone or federated ArcGIS Server site on the instance and you'll be using encrypted connections to it, add a rule allowing connections through port 6443. Specify a range of IP addresses that are allowed to connect to the site through this port.
- If you have a stand-alone or federated ArcGIS Server site on the instance, and you'll be using HTTP connections, add a rule allowing connections through port 6080. Specify a range of IP addresses that are allowed to connect to the site through this port.
- Add a rule to allow all instance in your security group full access to each other. For Amazon VPC and EC2 Windows instances, see Security Group Rules in the AWS User Guide for Windows Instances. For VPC and EC2 Linux instances, see Security Group Rules in the AWS User Guide for Linux Instances.
- Save the changes you make to your security group rules.
Note:
If you built your site using an ArcGIS Enterprise on Amazon Web Services deployment tool, you do not need to complete the next step, as the tool or template added these rules for you.
See Common security group configurations to learn more about these security rules and when to adjust them.