Riak Security on AWS.

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Riak Security on AWS.

vvsanil
What are the best practices for securing my riak cluster on AWS? The cluster will be sitting under a load balancer (ELB). Basically how do i prevent others from accessing my riak cluster if they happen to know my ip address/ports.

(Using Nginx as reverse proxy is not an option for us.)
Reply | Threaded
Open this post in threaded view
|

Re: Riak Security on AWS.

Hector Castro-2
Hi,

We recently published a blog post detailing methods of deployment on AWS [0].

More specifically, to secure the nodes behind an ELB you can assign
them security groups as they're defined here [1]. With regard to the
ELB, spinning one up in a VPC [2] is the only way to assign security
groups to it. This allows you to whitelist specific nodes trying to
talk to the Riak cluster [3].

[0] http://basho.com/blog/technical/2013/01/30/RiakonAWS/
[1] http://docs.basho.com/riak/1.2.1/tutorials/installation/Installing-on-AWS-Marketplace/
[2] http://aws.amazon.com/vpc/
[3] http://aws.typepad.com/aws/2011/11/new-aws-elastic-load-balancing-inside-of-a-virtual-private-cloud.html

Hope this helps,

--
Hector


On Fri, Feb 1, 2013 at 8:06 AM, vvsanil <[hidden email]> wrote:

> What are the best practices for securing my riak cluster on AWS? The cluster
> will be sitting under a load balancer (ELB). Basically how do i prevent
> others from accessing my riak cluster if they happen to know my ip
> address/ports.
>
> (Using Nginx as reverse proxy is not an option for us.)
>
>
>
> --
> View this message in context: http://riak-users.197444.n3.nabble.com/Riak-Security-on-AWS-tp4026708.html
> Sent from the Riak Users mailing list archive at Nabble.com.
>
> _______________________________________________
> riak-users mailing list
> [hidden email]
> http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com

--
Hector


On Fri, Feb 1, 2013 at 8:06 AM, vvsanil <[hidden email]> wrote:

> What are the best practices for securing my riak cluster on AWS? The cluster
> will be sitting under a load balancer (ELB). Basically how do i prevent
> others from accessing my riak cluster if they happen to know my ip
> address/ports.
>
> (Using Nginx as reverse proxy is not an option for us.)
>
>
>
> --
> View this message in context: http://riak-users.197444.n3.nabble.com/Riak-Security-on-AWS-tp4026708.html
> Sent from the Riak Users mailing list archive at Nabble.com.
>
> _______________________________________________
> riak-users mailing list
> [hidden email]
> http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com

_______________________________________________
riak-users mailing list
[hidden email]
http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
Reply | Threaded
Open this post in threaded view
|

Re: Riak Security on AWS.

Ian Ha
We also run on AWS and we use security groups. You can restrict inbound traffic to other nodes with the same security group only.


On Fri, Feb 1, 2013 at 9:32 AM, Hector Castro <[hidden email]> wrote:
Hi,

We recently published a blog post detailing methods of deployment on AWS [0].

More specifically, to secure the nodes behind an ELB you can assign
them security groups as they're defined here [1]. With regard to the
ELB, spinning one up in a VPC [2] is the only way to assign security
groups to it. This allows you to whitelist specific nodes trying to
talk to the Riak cluster [3].

[0] http://basho.com/blog/technical/2013/01/30/RiakonAWS/
[1] http://docs.basho.com/riak/1.2.1/tutorials/installation/Installing-on-AWS-Marketplace/
[2] http://aws.amazon.com/vpc/
[3] http://aws.typepad.com/aws/2011/11/new-aws-elastic-load-balancing-inside-of-a-virtual-private-cloud.html

Hope this helps,

--
Hector


On Fri, Feb 1, 2013 at 8:06 AM, vvsanil <[hidden email]> wrote:
> What are the best practices for securing my riak cluster on AWS? The cluster
> will be sitting under a load balancer (ELB). Basically how do i prevent
> others from accessing my riak cluster if they happen to know my ip
> address/ports.
>
> (Using Nginx as reverse proxy is not an option for us.)
>
>
>
> --
> View this message in context: http://riak-users.197444.n3.nabble.com/Riak-Security-on-AWS-tp4026708.html
> Sent from the Riak Users mailing list archive at Nabble.com.
>
> _______________________________________________
> riak-users mailing list
> [hidden email]
> http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com

--
Hector


On Fri, Feb 1, 2013 at 8:06 AM, vvsanil <[hidden email]> wrote:
> What are the best practices for securing my riak cluster on AWS? The cluster
> will be sitting under a load balancer (ELB). Basically how do i prevent
> others from accessing my riak cluster if they happen to know my ip
> address/ports.
>
> (Using Nginx as reverse proxy is not an option for us.)
>
>
>
> --
> View this message in context: http://riak-users.197444.n3.nabble.com/Riak-Security-on-AWS-tp4026708.html
> Sent from the Riak Users mailing list archive at Nabble.com.
>
> _______________________________________________
> riak-users mailing list
> [hidden email]
> http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com

_______________________________________________
riak-users mailing list
[hidden email]
http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com


_______________________________________________
riak-users mailing list
[hidden email]
http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
Reply | Threaded
Open this post in threaded view
|

Re: Riak Security on AWS.

vvsanil
Hello Ian

If we are operating outside a VPC, can we just instruct our Riak cluster (which sits under an ELB) to accept traffic only from our app server IP?

Could you elaborate more on how you handled your security?

Thank you,  



Reply | Threaded
Open this post in threaded view
|

Re: Riak Security on AWS.

Ian Ha
Yes, you can do that on AWS.

In our case, we just defined a security group called 'riak', we set the inbound restrictions on that group and also tell it to only accept connections for other EC2 nodes that have the same security group.  On riak node creation, we give the 'riak' security group to the node. You also have the option to define the IP source of the inbound connection (which is what you are looking to do). This was all done via the AWS console. Just go to the "Security" tab in the EC2 section of the AWS console.

Hope that helps.


On Sat, Feb 2, 2013 at 1:01 AM, vvsanil <[hidden email]> wrote:
Hello Ian

If we are operating outside a VPC, can we just instruct our Riak cluster
(which sits under an ELB) to accept traffic only from our app server IP?

Could you elaborate more on how you handled your security?

Thank you,







--
View this message in context: http://riak-users.197444.n3.nabble.com/Riak-Security-on-AWS-tp4026708p4026719.html
Sent from the Riak Users mailing list archive at Nabble.com.

_______________________________________________
riak-users mailing list
[hidden email]
http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com


_______________________________________________
riak-users mailing list
[hidden email]
http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com