What ports to open in aws security group for aws?

Question

I am building the backend for a turn based gamed. My experience is mostly with a lamp stack; I've dabbled in nginx on a node side project.

I just read Scaling PHP Applications by Stephen Corona of Twit Pic. He recommends an nginx server over apache. He says that his ubuntu machine has 32768-61000 ports open.

On AWS do I need to modify my security to group to allow access to those ports? How do I ensure nginx is taking full advantage of this configuration?

Update:

I anticipate most of my requests being at port 443, which is why I was confused about his recommendation for opening more ports.

This is the reccomendation he makes

net.ipv4.ip_local_port_range

ip_local_port_range defines the range of usable ports on your system. On my stock ubuntu installation, it’s set to 32768-61000. Increase the range to allow for more connections. The number of avaliable ports limits the number of simultanious open connections. Remember, even after a connection is closed it still eats a port in the TIME_WAIT state (though we mitigate this with some settings below).

sysctl-wnet.ipv4.ip_local_port_range="10000 65535"

vi /etc/sysctl.d/haproxy-tuning.conf 
net.ipv4.ip_local_port_range=10000 65535

Answer 1

On AWS do I need to modify my security to group to allow access to those ports?

For incoming connections, yes. For connections that are initiated by your server, no.

By default, all outgoing ports are open and all incoming ports (except for SSH) are closed.

Incoming connections are those that are initiated by software that resides outside of your box. Outgoing connections are those that are initiated by software that resides inside your box, such as your linux kernel or NGINX on your instance.

How do I ensure nginx is taking full advantage of this configuration?

When you define ip_local_port_range, this setting defines ports for outgoing connections from your server. You would not want to open those ports (or any other ports that you don't need) for incoming connections in an AWS securtiy group. However, you need to open all ports on which NGINX is supposed to listen to incoming requests (typically the standard HTTP/HTTPS ports, hand-picked, but definitely not a port range).

Aside from that, you should run your servers in a VPC ("EC2 VPC" as opposed to "EC2 classic"). If you run your server in "EC2 classic" it is conceivable that some other user on the internal AWS network might succeed in port scanning your box if they happen to be in the same subnet. This is illegal on AWS and will get that users' accounts closed. For this very same reason, if you need to run a port scan, any penetration testing at all, or anything even remotely resembling a vulnerability scan, on your own AWS infrastructure, you absolutely have to ask Amazon for permission to do so or you will get yourself into some big trouble. You can obtain authorization for vulnerability scanning here: https://aws.amazon.com/security/penetration-testing/

Answer 2

If you need to open ports for your application you can specify a port (or range of ports) in an AWS Security Group.

Create a new rule with the desired range, ie as per your example 32768-61000.

As to the question of if you need all these ports open, that comes down to how you architect your application. I suspect if you go down the route of many small EC2s behind a Load Balancer (a common setup for scalable solutions) then the advice of lots of open ports may not apply here.

AWS Load Balancers can handle lots of traffic and don't need lots of ports open.