I am preparing for a Dremio CE on AWS deployment and need to set up a security group. We have federated AWS govcloud environment so I have to reuse yaml templates from cloudformation if possible, and understand what the rules are doing from the perspective of an orchestrator. I cannot setup or configure my own VPC, but there is a VPC already in place that I can use.
I found some example yaml here on github and have modified it for my use case (see below). I also referred to Dremio AWS deployment pre-req docs.
- Why are the outbound rules so permissive?
- Should the outbound egress sections be included in cloudformation below explicitly?
- What would outbound rules look like in a typical deployment that needs to restrict egress traffic? Can I reuse the same ports and IP ranges in ingress, assuming I only need connect to data sources in the same IP range?
- Can we somehow export a cloudformation yaml showing the full extent of a Dremio already deployed on AWS such as on a quickstart on AWS public cloud, for example? I need portability, the ability to test customizations separately before bringing it to the federated AWS environment? It would be great to have a community repo of custom cloudformation templates for functional Dremio stacks on AWS.
Draft yaml for security group specifics:
DremioSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Dremio Access
GroupName: cmc-dev-dremio
VpcId: !Ref Vpc # Vpc info not visible to my federated AWS account
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 9047
ToPort: 9047
CidrIp:
- 137.227.6.0/24
- IpProtocol: tcp
FromPort: 31010
ToPort: 31010
CidrIp:
- 137.227.6.0/24
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp:
- 137.227.6.0/24
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp:
- 137.227.6.0/24
DremioSecurityGroupSelfIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref DremioSecurityGroup
IpProtocol: -1
SourceSecurityGroupId: !Ref DremioSecurityGroup
Thanks!