| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169 |
- resource "aws_security_group" "re" {
- name = "RedisEnterprise"
- description = "Redis Enterprise Security Group"
- vpc_id = "${var.vpc-id}"
- tags = merge({ Name = "RedisEnterprise-${var.vpc-name}" }, var.common-tags)
- ###############################################################################
- # Ingress
- ###############################################################################
- # SSH Internal
- ingress {
- from_port = 22
- to_port = 22
- protocol = "tcp"
- cidr_blocks = [var.vpc-cidr]
- }
- # SSH External
- ingress {
- from_port = 22
- to_port = 22
- protocol = "tcp"
- cidr_blocks = var.open-nets
- }
- ###############################################################################
- # Redis Enterprise Specific
- # https://docs.redislabs.com/latest/rs/administering/designing-production/networking/port-configurations
- ###############################################################################
- # For connectivity checking between nodes
- ingress {
- from_port = -1
- to_port = -1
- protocol = "icmp"
- cidr_blocks = [var.vpc-cidr]
- }
- # Internal cluster usage
- ingress {
- from_port = 3333
- to_port = 3339
- protocol = "tcp"
- cidr_blocks = [var.vpc-cidr]
- }
- ingress {
- from_port = 36379
- to_port = 36380
- protocol = "tcp"
- cidr_blocks = [var.vpc-cidr]
- }
- # For application to access the RS Discovery Service
- ingress {
- from_port = 8001
- to_port = 8001
- protocol = "tcp"
- cidr_blocks = [var.vpc-cidr]
- }
- # For secure (https) access to the management web UI
- ingress {
- from_port = 8443
- to_port = 8443
- protocol = "tcp"
- cidr_blocks = var.open-nets
- }
- # For nginx <->cnm_http/cm communications on the same host only. Ports are bound to loopback adapter.
- ingress {
- from_port = 8444
- to_port = 8444
- protocol = "tcp"
- cidr_blocks = [var.vpc-cidr]
- }
- ingress {
- from_port = 9080
- to_port = 9080
- protocol = "tcp"
- cidr_blocks = [var.vpc-cidr]
- }
- # For CRDB management
- ingress {
- from_port = 9081
- to_port = 9081
- protocol = "tcp"
- cidr_blocks = [var.vpc-cidr]
- }
- # For metrics exported and managed by nginx
- ingress {
- from_port = 8070
- to_port = 8071
- protocol = "tcp"
- cidr_blocks = [var.vpc-cidr]
- }
- # Used to expose the REST API, including cluster management and node bootstrap
- ingress {
- from_port = 8080
- to_port = 8080
- protocol = "tcp"
- cidr_blocks = [var.vpc-cidr]
- }
- ingress {
- from_port = 9443
- to_port = 9443
- protocol = "tcp"
- cidr_blocks = [var.vpc-cidr]
- }
- # For exposing databases externally
- ingress {
- from_port = 10000
- to_port = 19999
- protocol = "tcp"
- cidr_blocks = var.open-nets
- }
- # For internal communications with database shards
- ingress {
- from_port = 20000
- to_port = 29999
- protocol = "tcp"
- cidr_blocks = [var.vpc-cidr]
- }
- # For accessing DNS/mDNS functionality in the cluster
- ingress {
- from_port = 53
- to_port = 53
- protocol = "udp"
- cidr_blocks = [var.vpc-cidr]
- }
- ingress {
- from_port = 5353
- to_port = 5353
- protocol = "udp"
- cidr_blocks = [var.vpc-cidr]
- }
- ###############################################################################
- # Egress
- ###############################################################################
- egress {
- from_port = 0
- to_port = 65535
- protocol = "tcp"
- cidr_blocks = ["0.0.0.0/0"]
- }
- egress {
- from_port = -1
- to_port = -1
- protocol = "icmp"
- cidr_blocks = [var.vpc-cidr]
- }
- egress {
- from_port = 0
- to_port = 65535
- protocol = "udp"
- cidr_blocks = ["0.0.0.0/0"]
- }
- }
|
