Deploying Chef Server on AWS - Security group


#1

Hi,

I am deploying a chef server on ec2 instance. I used to open all the ports as specified in the article:
https://docs.chef.io/server_firewalls_and_ports.html.
The source was from anywhere (0.0.0.0/0).

It is certainly not the best practice to use such security group in production. So, I need to limit the ports to the minimum and use the minimal source which enables me to work smoothly.

The first port which caused an issue is 443. I understand that my ip should be in the source and every instance which has the same security group enabled. To translate it to EC2 syntax:
Security group id -
Rules:
Type: HTTPS, Protocol: tcp, Port Range: 443, source:
Type: HTTPS, Protocol: tcp, Port Range: 443, source:

But, it doesn’t work. When I open the port to anywhere its working.
Type: HTTPS, Protocol: tcp, Port Range: 443, source: 0.0.0.0/0

Can you advice why is that and what is the most limited configuration for this port to work for me?

Thanks,
Liora


#2

Hello Liora,

What is the source trying to do on Chef Server?

We have specific IPs with Allow HTTPS on the security group used by Chef Server and Outbound is Allow ALL Traffic to 0.0.0.0/0 which works fine.

Do you also use ACLs on top of security groups?


#3

I do not understand your questions. Sorry.


#4

I’d suggest you run everything inside a VPC and allow incoming traffic to the Chef Server on port 443 from the VPC’s CIDR range, that’s the easiest.
i.e.: HTTPS, Protocol: tcp, Port Range: 443, source: 192.168.0.0/16

Another option is to attach a SG to all Chef Clients and use it to allow access to the Chef Server.
i.e.: HTTPS, Protocol: tcp, Port Range: 443, source: sg-