4.6-Creating an AWS Security Group
Last updated
Last updated
Back to the AWS EC2 Console, let's go to the "Security Groups" area...it's the equivalent of a set of firewall rules for your VPC. (the AWS infrastructure acts like a gigantic NAT/PAT router and firewall in front of your virtual servers in any AWS region/VPC/private network)
You will find a "default VPC security group" there, which authorizes all internal network traffic within your VPC for its members ("source" = every member of the security group itself), and outbound traffic to anywhere ("destination" = 0.0.0.0/0).
We'll create a specific Security Group for our OpenVPN + Fantasy Grounds requirements (and SSH access if you whish), using the big blue "Create Security Group" button :
Give it a Security group name and a Description, your (only) default VPC should already be selected, and then let's have a look at the Security group rules panel.
Tech blurb:
This is required, because your server will need to send packets :
from its own TCP 1802 port to your players on unknown/volatile TCP ports at unknown/volatile IPs
from its own UDP 1194 port to you : unknown/volatile UDP port, probably unknown/volatile IP
The only "known" thingies here are on this server's side
Using the "Add Rule" button, let's add 2 inbound rules, to authorize incoming network traffic, one using the "Custom TCP rule" type for FG, and the other using the "Custom UDP rule" type for OpenVPN, like this :
...and let's click the blue "Create" button.
You now have a "working" dedicated Security Group for your FG-OpenVPN setup - which also works if you are in a hotel room, etc...
...but it's not perfect, so let's modify it.
...even when they are currently in use by running servers (which is cool for tests, by the way).
If we look at the Inbound rules for our newly created Security Group :
We find some IPv6 rules there (Source = ::/0) that we don't want (that's because we used the "Anywhere" destination or source, which is both IPv4 + IPv6). So we'd like to delete these 2 lines.
Also maybe we would like to add an authorization rule for ourselves (the current Public IPv4 of our home Internet access) to access our server for interactive terminal connection through SSH (=TCP 22).
So let's click the "Edit" button on the Inbound tab...We can do all of that here :
Let's delete the 2 useless IPv6 rules, and add an SSH rule (Type=SSH => TCP 22) for "My IP"...
As soon as you select "My IP" as a source or destination, it is replaced with your current Public IPv4 as seen from the Internet, which is why I blurred mine, even though it's actually not a risk...
Ok, after playing with rules for a moment, let's just clean up and finish with our required Security Group Rules for FG + OpenVPN access from any IPv4 address, then finally click the "Save" button :
You can always come back to change Security Group Inbound and Outbound rules.
Just don't delete the Security Group itself, so that references to it continue to be valid (see the Launch Template further on).
Outbound : ALL Traffic to ALL IPv4
Inbound : TCP 1802 from ALL IPv4 (for FG)
Inbound : UDP 1194 from ALL IPv4 (for OpenVPN)
IF you absolutely want to, you can restrict OpenVPN inbound rule to your own Public IPv4, BUT then you must be prepared to update your OpenVPN inbound rule :
every time your home public IPv4 address changes
every time you want to host a game from any other place (hotel, etc...)
This shows that the members (virtual servers) of that Security Group will be authorized to send network packets of any kind, to anywhere : no restriction, freedom, Yeah !
Ze Summary for our Security Group Rulez :
