Every instance with its own security group, or one security group for all instances?

Question

Imagine that we have a blueprint which generates an Ambari Server and a Hadoop cluster with two nodes.

We are using the following project --> https://github.com/brooklyncentral/brooklyn-ambari

In this case, three entities are created (1 Ambari Server + 2 Hadoop nodes) and consequently, 3 security groups are generated. Every entity would have its own security group.

What would be the best practice: Above mentioned (one security group per entity) or only 1 security group for all entities (if it is possible)?

Answer 1

Options include the following:

1. Have Brooklyn auto-generate a security group per VM. This is the default, however it is not the most secure as it opens the port(s) publicly rather than just to the other Ambari VMs.

2. Use a pre-existing security group for all the Ambari VMs. You can configure the location with securityGroups: nameOfMySecurityGroup. This security group will be used unmodified, so can be used to provide access between the Ambari VMs.

3. Configure Brooklyn to create a new security group to be shared by all the Ambari VMs. This requires using a "location customizer" that creates the security group and adds it to the configuration being used to create the VMs. It can use or build on https://github.com/apache/incubator-brooklyn/blob/0.7.0-incubating/locations/jclouds/src/main/java/brooklyn/location/jclouds/networking/JcloudsLocationSecurityGroupCustomizer.java. Brooklyn would benefit from making that easier to use out-of-the-box!

Best practice depends on your security requirements. Option (3) gives you maximum flexibility to configure it securely based on your needs, so is arguably best practice. Option (2) is simple to do for infrequent deployments but annoying if you have to manually create a security group ahead of time. Option (1) is simplest, but exposes more ports than absolutely necessary so should probably be discouraged for production use.