CDP:Functional Firewall Pattern
Multi-Tier Access Control
Problem to Be Solved
Multi-tier access constraints using firewalls have been used as security measures that have been routinely employed even in systems of the past. However, when the number of access control rules becomes large, the setup of the firewall becomes complex, with many settings. The operating cost rises commensurately. If the rules for the firewall cannot be grouped, maintenance becomes complex as well, increasing the probability that there will be an error.
Explanation of the Cloud Solution/Pattern
In the past, firewalls have used dedicated machines, and usually the rules have been controlled without grouping. Even if grouping has been possible, it has been difficult to apply by the server unit. In the AWS Cloud, however, the firewall has also been virtualized, enabling a more flexible setup. You can group the rules, and the setup can be by the group unit, or applied to individual servers. By having the group units be by the individual functions (web servers versus database servers, and so forth), the setup of the functions can be controlled centrally, within the groups. Application to virtual servers can also be through functional group units, simplifying the maintenance of access control and reducing the possibility of error.
AWS lets you use virtual firewalls known as "security groups." You can construct security groups for each function, with rules under centralized control. Once they are set up, you can apply the security groups to the EC2 instances that are divided by functional units, enabling grouping by individual functions.
- Group the EC2 instances by individual functions (web layer, application layer, database layer, and so forth).
- Make a security group for each EC2 instance group, and set it up in the EC2 instances.
- Set up security groups for IP addresses, port numbers, and so forth.
- Multi-tier access control improves security. The EC2 virtual servers are grouped by individual functions, eliminating the need to change the virtual firewall settings even when using the scale-out pattern.
- While several different definitions are possible because virtual firewalls are logical entities, creating too many makes them difficult to understand, so you need to think about the granularity of the groups.