Eucalyptus vs. AWS - Differences in Ingress Security Group Authorization for Elastic Load Balancing (ELB)

Follow

Eucalyptus Version:  3.4.2 - 4.0.0

Differences in Ingress Security Group Authorization for Elastic Load Balancing (ELB) Between AWS and Eucalyptus

Problem

When creating Elastic Load Balancers (ELBs), there is an implementation difference in the relationship of how security groups are associated to the Elastic Load Balancer (ELB) between Eucalyptus and Amazon Web Services (AWS).  Understanding this relationship will help users maintain the ability to lock down traffic between an Elastic Load Balancer and back-end instances on Eucalyptus.

In AWS, each Elastic Load Balancer is assigned to the 'amazon-elb-sg' security group name, which has the owner alias of 'amazon-elb' [1].  In Eucalyptus, each Elastic Load Balancer (ELB) [2] are assigned a unique security group ID associated with the security group name.  For example:

# eulb-describe-lbs MyLoadBalancer --show-long
LOAD_BALANCER MyLoadBalancer MyLoadBalancer-408396244283.elb.acme.eucalyptus-systems.com {interval=200,target=HTTP:80/,timeout=3,healthy-threshold=2,unhealthy-threshold=4} ViciousLiesAndDangerousRumors i-5518F41F,i-10910C65 {protocol=HTTP,lb-port=80,instance-protocol=HTTP,instance-port=80},{protocol=HTTPS,lb-port=443,instance-protocol=HTTP,instance-port=80,cert-id=arn:aws:iam::408396244283:server-certificate/acmes-dev-eucalyptus,{MyLoadBalancerPolicy}} {policy-name=MyBalancerPolicy,expiration-period=10} {owner-alias=944786667073,group-name=euca-internal-408396244283-SSLNginxLoadBalancer} 2014-05-30T16:20:44.248Z

To lock down communication to back-end instances running in a given security group that are registered with the Elastic Load Balancer (ELB) on Eucalyptus (which is similar to the step performed on AWS), do the following:

# euca-authorize mysecuritygroup -u 944786667073 -o euca-internal-408396244283-MyLoadBalancer --port-range -1 

(Note:  Eucalyptus requires a port range to be assigned when authorizing ingress rules, which is different than the behavior on AWS [3])

To see the rules applied, use euca-describe-group:

# euca-describe-groups mysecuritygroup 
GROUP sg-5F6ACB71 408396244283 mysecuritygroup Security Group for Web Servers
PERMISSION 408396244283 mysecuritygroup ALLOWS tcp 1 65535 FROM USER 944786667073 ID sg-5DFC77A3 ingress
PERMISSION 408396244283 mysecuritygroup ALLOWS tcp 22 22 FROM CIDR 0.0.0.0/0 ingress

Notice how the security group ID and the user ID are used in the ingress rule.  This differs than on AWS.  For example:

$ ec2-describe-group security-group-test
GROUP sg-7436900e 000000000000 security-group-test Test Group
PERMISSION 000000000000 security-group-test ALLOWS icmp -1 -1 FROM USER amazon-elb NAME amazon-elb-sg ID sg-843f00ed ingress
PERMISSION 000000000000 security-group-test ALLOWS tcp 0 65535 FROM USER amazon-elb NAME amazon-elb-sg ID sg-843f00ed ingress
PERMISSION 000000000000 security-group-test ALLOWS udp 0 65535 FROM USER amazon-elb NAME amazon-elb-sg ID sg-843f00ed ingress
PERMISSION 000000000000 security-group-test ALLOWS tcp 22 22 FROM CIDR 0.0.0.0/0 ingress

This is due to the fact that AWS has all Elastic Load Balancing instances in the same security group [4], [5].  

While this doesn't seem like a big issue, it actually poses a problem when the following scenarios occur on a Eucalyptus cloud:

  • Cloud maintenance (when all resources need to be terminated)
  • If a user deletes/creates Elastic Load Balancer(s)

What this means for cloud users is that for any given Elastic Load Balancer the security group associated with the back-end instances will need to be updated.  

Workaround

Once a cloud user on Eucalyptus has authorize ingress rules for an Elastic Load Balancer, and want to clean up the security group rule associated with that Elastic Load Balancer, the user needs to use the security group ID instead of the security group name with euca-revoke.  For example:

# euca-revoke mysecuritygroup -u 944786667073 -o sg-5DFC77A3 -p -1

Additionally, any time a new Elastic Load Balancer is created (even if its the same name of a previous Elastic Load Balancer that was deleted), the cloud user will have to authorize ingress rules again for that Elastic Load Balancer.  For example:

euca-authorize mysecuritygroup -u 944786667073 -o euca-internal-408396244283-MyLoadBalancer --port-range -1
# euca-describe-groups mysecuritygroup 
GROUP sg-5F6ACB71 408396244283 mysecuritygroup Security Group for Web Servers
PERMISSION 408396244283 mysecuritygroup ALLOWS tcp 1 65535 FROM USER 944786667073 ID sg-A8383E29 ingress
PERMISSION 408396244283 mysecuritygroup ALLOWS tcp 22 22 FROM CIDR 0.0.0.0/0 ingress

References

[1]   AWS Elastic Load Balancing - Manage Security Groups in Amazon EC2-Classic
[2]   Knowledge Base Article - Management of Eucalyptus Elastic Load Balancers
[3]   Eucalyptus Jira Issue - TOOLS-484
[4]   Eucalyptus Jira Issue - EUCA-9471
[5]   Eucalyptus Jira Issue - EUCA-9486

 

 

 

 

 

Have more questions? Submit a request

Comments

Powered by Zendesk