DEV Community

loading...
Cover image for Configuring Security Groups/IAM Roles - CloudFormation for infrastructure set up -02
AWS Community Builders

Configuring Security Groups/IAM Roles - CloudFormation for infrastructure set up -02

Gayan Fonseka
Software Architect with an M.Sc. in IT, AWS Community Builder, PMP certified Project Manager. Strong in Azure/AWS Cloud, Server technologies, and programming.
Updated on ・2 min read

This is a continuation of the previous article where I set up the Virtual Private Network required to host the application using CloudFormation. Feel free to read the need and how to set up the VPC at the below link,

Get rid of old habits- Use CloudFormation for infrastructure set up -01

Now that we have set up various subnets as Public and Private subnets we need to control incoming and outgoing traffic to ensure that our application is secured and able to cater to the user requests. For this purpose, we will have to enable a certain type of traffic through certain ports. E.g. TCP over port 5000 for the application, TCP over port 3306 for MySQL. AWS has provided this facility through security groups that act as a virtual firewall for our EC2 instances that will host our application. Given below is the CloudFormation YAML for security group configuration.

As you can see, I have created security groups enabling traffic for EC2 instances in the app subnets, database subnet, public load balancer, VPC link, and the private load balancer. This basically covers all the areas for which we need to enable traffic.

As the next step, we will have to export some of these configurations as output values to be used in the coming stacks. I'll be doing that in the below code.

I am not going into details as most of these CloudFormation code snippets are self-explanatory. The description section has a brief on what each part does.

There are two ways to gain access to the EC2 instances in a private subnet. One of them is using the bastion host and the other is to use Systems Manager (SSM) provided by AWS. I prefer to use SSM and you can read more on this at "Toward a bastion less world". The reason I mentioned this is, in the upcoming section where I share the code to configure the IAM roles, you'll see me using policies that are related to SSM and I don't want you to be confused.

Now we have the VPC, subnets, the required security groups, and IAM roles configured using CloudFormation to host our applications. In the next article, I'll be adding some compute resources to each of these subnets so you can host your application. Also, in an article to follow, I'll share how to run these templates and get the infrastructure setup in AWS along with the complete code hosted in Github. Thanks for reading.

Discussion (0)