Restricting Access to Target Group EC2 Instances in AWS using Security Groups

Summary

In this lab, you will configure HTTPS Listener in an Application Load Balancer in Amazon AWS. You will upload a self-signed certificate to the Application Load Balancer and will disable the HTTP listener to allow only secure traffic.

Each exercise below builds upon the previous one. You should start each new exercise from the last step of the previous exercise unless it is explicitly written otherwise.

Learning Objectives

After completion of this lab, you will be able to:

Prerequisites

To complete this lab, you will need the following:

Determine the Public IP Address Your Local Machine Uses

Here is how you can determine the public IP address your local machine uses. This IP address cannot be used to access your local machine from the Internet, but it is the IP address that requests to services come from:

1. Go to https://www.google.com
2. Type what is my ip address in the search box
3. Google will return the public IP address your local machine uses. Note this IP address; you will need it for the exercises

Determine the Public IP Addresses of the Target Group EC2 Instances

Here is how you can determine the IP address of the Application Gateway.

1. Sign in to the AWS Management Console at https://aws.amazon.com/console/ using your AWS credentials
2. In the Find Services search box, type EC2, and press Enter
3. Find the computelab01-ec2-i01 EC2 instance in the list of instances and click on it
4. On the Description tab below the list, note the IPv4 Public IP address of the EC2 instance
5. Repeat steps 4 and 5 for computelab01-ec2-i02 EC2 instance
   

Exercise #1: Create a Security Group in Amazon AWS

In this exercise, you will create a new Security Group in Amazon AWS and add inbound rules to it.

Steps

1. Sign in to the AWS Management Console at https://aws.amazon.com/console/ using your AWS credentials
2. In the Find Services search box, type EC2, and press Enter
3. Click on the Security Groups link in the left-hand navigation
4. Click on the button on top of the security groups list
5. In the pop-up window, fill in the following information:
   Security group name → securitylab01-ec2-sg
   Description → Restrict HTTP access to Target Group
6. Click on the button to add a new rule
7. Select SSH for the Type field, and in the Source field, paste the public IP address your local machine uses, followed by /32. You obtained in the Prerequisites section.
8. Click on the button to add another rule
9. Select HTTP for the Type field, and type computelablab01-ec2-sg in the Source field.
10. Click on the button to create the Security Group
11.  Milestone step:  At this point, you have learned how to a new Security Group in Amazon AWS and configure Inbound rules

Exercise #2: Configure the Target Group EC2 Instances to use the Security Group

In this exercise, you will configure the Target Group EC2 instances to use the new Security Group.

Steps

1. Click on the Instances link in the left-hand navigation
2. Find the computelab01-ec2-i01 EC2 instance in the list of instances and click on it
3. Click on the button on top of the list and select Networking → Change Security Groups
4. Deselect computelablab01-ec2-sg and select securitylab01-ec2-sg from the list
5. Click on the button to save the Security Group changes
6. Repeat steps 2 through 5 for the computelab01-ec2-i02 EC2 instance
7.  Milestone step:  At this point, you have learned how to change the Security Group for EC2 instances in Amazon AWS

Exercise #3: Testing the Security Group (NSG) Rules for Web Traffic

In this exercise, you will test the web traffic rules you created in the Security Group.

Steps

1. Open a new browser window and type the following in the address bar:
   https://[the_application_load_balancer_ip_address]
2. You should see the home page served by the webserver installed on computelab01-ec2-i01 EC2 Instance
   
3. Refresh the page
4. You should see the home page served by the webserver installed on computelab01-ec2-i02 EC2 Instance
   
5.  Milestone step:  At this point, you have verified that the Target Group can serve requests via HTTPS through the Application Load Balancer
   
6. Open a new browser tab and paste the computelab01-ec2-i01 EC2 Instance IP address in the address bar
7. After some time, you should receive an error message or the page will time out
8.  Milestone step:  At this point, you have verified that the computelab01-ec2-i01 EC2 Instance is not directly accessible via HTTP
9. Open a new browser tab and paste the computelab01-ec2-i02 EC2 Instance IP address in the address bar
10. After some time, you should receive an error message or the page will time out
11.  Milestone step:  At this point, you have verified that the computelab01-ec2-i02 EC2 Instance is not directly accessible via HTTP

Exercise #4: Testing the Security Group (NSG) Rules for SSH Traffic

In this exercise, you will test the remote access rules you created in the Security Group using an SSH client. Make sure; you execute the steps from the location you configured in the SG.

Steps

1. Open a Terminal (Mac OS/Linux) or Command Prompt (Windows) window
2. Type the following command
   ssh [computelab01-ec2-i01_username]@[computelab01-ec2-i01_ip_address]
3. Type in the [computelab01-ec2-i01_username] password
4. You should connect to the computelab01-ec2-i01 EC2 Instance
   
5.  Milestone step:  At this point, you have verified that you have remote access to the computelab01-ec2-i01 EC2 Instance using SSH
6. Type exit
7. Type the following command
   ssh [computelab01-ec2-i02_username]@[computelab01-ec2-i02_ip_address]
8. Type in the [computelab01-ec2-i02_username] password
9. You should connect to the computelab01-ec2-i02 EC2 Instance
   
10.  Milestone step:  At this point, you have verified that you have remote access to the computelab01-ec2-i02 EC2 Instance using SSH