EC2 instances are always assigned to one or more security groups. A EC2 security group is a firewall which controls what traffic is allowed to reach the instance. It's a separate firewall from for example iptables which runs on the actual instance.
The DEFAULT security group (as default) allows all TCP, UDP and ICMP traffic to instances which only belong (assigned to) to the same security group.
So accessing these instance over the internet is not possible (as default) unless we allow outside traffic to reach the instances.
For example by adding TCP port 80 and source 0.0.0.0/0 we are now able to access the instances over the internet via port 80.
ClusterControl supports various database vendors and each has its own set of standard ports that need to be reachable.
If you use the DEFAULT security group for all instances you don't need to specify individual ports except open up to the outside world
- port 22 (ssh) to remotely logon to the instances
- 80 (http) and/or 443 (https) for the ClusterControl web application
If you instead want to create/use your own customized security group with a tighter control over which ports and protocols are allowed you need to individually specify the ports/protocols for the specific type of database cluster you are deploying.
Galera Cluster
Default ports and protocols that need to be added to a security group.
- 22 (ssh), source 0.0.0.0/0
- 80 (http) or 443 (http), source 0.0.0.0/0 - ClusterControl web application
- ICMP (echo reply/request), source <security group>
- 3306 (mysql), source <security group>
- 4444 (rsync / SST), source <security group>
- 4567 (galera), source <security group>
- 4568 (galera iST, source <security group>
- 9999 (Must be open on the controller, streaming port for Xtrabackup used by /usr/bin/s9s_backupc (located on the controller, change port if needed)
Example: Security group for Galera Cluster with ClusterControl and HAProxy using 33306 for load balancing requests.
MySQL Cluster
Default ports and protocols that need to be added to a security group.
- 22 (ssh), source 0.0.0.0/0
- 80 (http) or 443 (http), source 0.0.0.0/0 - ClusterControl web application
- ICMP (echo reply/request), source <security group>
- 1186 (mysql cluster), source <security group>
- 2200 (mysql cluster), source <security group>
- 3306 (mysql), source <security group>
MySQL Replication
Default ports and protocols that need to be added to a security group.
- 22 (ssh), source 0.0.0.0/0
- 80 (http) or 443 (http), source 0.0.0.0/0 - ClusterControl web application
- ICMP (echo reply/request), source <security group>
- 3306 (mysql), source <security group>
MongoDB
Default ports and protocols that need to be added to a security group.
- 22 (ssh), source 0.0.0.0/0
- 80 (http) or 443 (http), source 0.0.0.0/0 - ClusterControl web application
- ICMP (echo reply/request), source <security group>
- 3306 (mysql), source <security group> - ClusterControl database
- Replicaset
- 27017 (mongod), source <security group>
- Shards
- 27018 (mongod), source <security group>
- 27017 (mongos), source <security group>
- 27019 (config srvr), source <security group>
HAProxy
Default ports and protocols that need to be added to a security group.
- 9200 (health check), source <security group>
- 9600 (admin ui), source 0.0.0.0/0
- 33306 (lb mysql port), source <security group>
Amazon Marketplace: ClusterControl
We have an amazon marketplace offering which launches the ClusterControl application and is free to use. The security group used by the instance is automatically created and named ClusterControl - Community Edition-1-0-AutogenByAWSMP-.
It specifies all database TCP ports above however it's not possible to add ICMP echo reply/request automatically yet!
- If you use the same security group as the ClusterControl instance for your database node instances then you need to add ICMP reply/request to the ClusterControl - Community Edition-1-0-AutogenByAWSMP- security group manually.
- If you use a custom security group for your database node instances then it's easiest if you add the ClusterControl's security group to your custom one in order for the ClusterControl instance web application (port 80 and 443) to reach your db node instances.
Comments
0 comments
Please sign in to leave a comment.