jclouds-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Richard Downer <rich...@apache.org>
Subject AWS self-referencing security groups
Date Tue, 17 Mar 2015 11:27:52 GMT

AWS has a feature where a security group can include a rule that
allows a security group ID, instead of allowing an IP address. Any
instance which is a member of the security group matches the rule and
its traffic is permitted according to the rule.

A very useful thing you can do with this is add the security group's
*own* ID to itself and set it to allow all TCP/UDP/ICMP packets. Then,
all instances that are a member of this security group have
unrestricted access to each other, a bit like a private subnet.
However external access is still firewalled off unless IP-based rules
are also added to the security group as usual.

Looking at jclouds, it's possible to pass a security group in the
EC2TemplateOptions, but this then disables jclouds' processing of
inboundPorts. So it's an all-or-nothing approach: either jclouds
manages the security group for the app, or it does nothing and it's up
to the app to fully manage the security group, so the app ends up
duplicating code that opens the inbound ports.

Any thoughts on how jclouds could take advantage of this AWS feature?


View raw message