Last active
March 17, 2016 17:16
-
-
Save mitel/783df5a7b1a33a2693b8 to your computer and use it in GitHub Desktop.
mesos firewall rules
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
resource "aws_security_group" "mesos_master_sg" { | |
name = "mesos_master_sg" | |
description = "mesos master SG" | |
vpc_id = "${aws_vpc.vpc.id}" | |
} | |
resource "aws_security_group" "zookeeper_server_sg" { | |
name = "zookeeper_server_sg" | |
description = "zookeeper SG" | |
vpc_id = "${aws_vpc.vpc.id}" | |
} | |
resource "aws_security_group" "mesos_slave_sg" { | |
name = "mesos_slave_sg" | |
description = "mesos slave SG" | |
vpc_id = "${aws_vpc.vpc.id}" | |
} | |
##### Mesos master SG rules | |
# ingress from mesos slaves on 5050 | |
# kept open from any IP for testing | |
resource "aws_security_group_rule" "mesos_master_ingress_mesos_slaves" { | |
type = "ingress" | |
from_port = 5050 | |
to_port = 5050 | |
protocol = "tcp" | |
cidr_blocks = ["0.0.0.0/0"] # for testing | |
security_group_id = "${aws_security_group.mesos_master_sg.id}" | |
# source_security_group_id = "${aws_security_group.mesos_slave_sg.id}" | |
} | |
# mesos master egress to other mesos masters on 5050 | |
resource "aws_security_group_rule" "mesos_master_ingress_mesos_master" { | |
type = "egress" | |
from_port = 5050 | |
to_port = 5050 | |
protocol = "tcp" | |
security_group_id = "${aws_security_group.mesos_master_sg.id}" | |
self = true | |
} | |
# marathon UI - ingress on 8080 from whitelisted management IPs | |
resource "aws_security_group_rule" "marathon_ingress_whitelist_ip" { | |
type = "ingress" | |
from_port = 8080 | |
to_port = 8080 | |
protocol = "tcp" | |
cidr_blocks = ["${var.whitelisted_management_ips}"] | |
security_group_id = "${aws_security_group.mesos_master_sg.id}" | |
} | |
# chronos UI - ingress on 4400 from whitelisted management IPs | |
resource "aws_security_group_rule" "chronosUI_ingress_whitelist_ip" { | |
type = "ingress" | |
from_port = 4400 | |
to_port = 4400 | |
protocol = "tcp" | |
cidr_blocks = ["${var.whitelisted_management_ips}"] # for production | |
security_group_id = "${aws_security_group.mesos_master_sg.id}" | |
} | |
# mesos master egress to ZK server using 2181 | |
resource "aws_security_group_rule" "mesos_master_egress_zk_server" { | |
type = "egress" | |
from_port = 2181 | |
to_port = 2181 | |
protocol = "tcp" | |
security_group_id = "${aws_security_group.mesos_master_sg.id}" | |
source_security_group_id = "${aws_security_group.zookeeper_server_sg.id}" | |
} | |
# mesos master egress to mesos slaves | |
resource "aws_security_group_rule" "mesos_master_egress_mesos_slaves" { | |
type = "egress" | |
from_port = 5051 | |
to_port = 5051 | |
protocol = "tcp" | |
security_group_id = "${aws_security_group.mesos_master_sg.id}" | |
source_security_group_id = "${aws_security_group.mesos_slave_sg.id}" | |
} | |
##### Zookeeper SG rules | |
# allow ingress from mesos slaves, as Zookeeper clients | |
resource "aws_security_group_rule" "zk_server_ingress_mesos_slaves" { | |
type = "ingress" | |
from_port = 2181 | |
to_port = 2181 | |
protocol = "tcp" | |
security_group_id = "${aws_security_group.zookeeper_server_sg.id}" | |
source_security_group_id = "${aws_security_group.mesos_slave_sg.id}" | |
} | |
# allow ingress from mesos masters, as Zookeeper clients | |
resource "aws_security_group_rule" "zk_server_ingress_mesos_masters" { | |
type = "ingress" | |
from_port = 2181 | |
to_port = 2181 | |
protocol = "tcp" | |
security_group_id = "${aws_security_group.zookeeper_server_sg.id}" | |
source_security_group_id = "${aws_security_group.mesos_master_sg.id}" | |
} | |
# allow ingress from ZK followers, when leading | |
resource "aws_security_group_rule" "zk_server_ingress_zk_followers" { | |
type = "ingress" | |
from_port = 2888 | |
to_port = 2888 | |
protocol = "tcp" | |
security_group_id = "${aws_security_group.zookeeper_server_sg.id}" | |
self = true | |
} | |
# allow egress to the ZK leader, when following | |
resource "aws_security_group_rule" "zk_follower_egress_zk_leader" { | |
type = "egress" | |
from_port = 2888 | |
to_port = 2888 | |
protocol = "tcp" | |
security_group_id = "${aws_security_group.zookeeper_server_sg.id}" | |
self = true | |
} | |
# ZK leader election - ingress from the other ZK servers | |
resource "aws_security_group_rule" "zk_leader_election_ingress" { | |
type = "ingress" | |
from_port = 3888 | |
to_port = 3888 | |
protocol = "tcp" | |
security_group_id = "${aws_security_group.zookeeper_server_sg.id}" | |
self = true | |
} | |
# ZK leader election - egress to other ZK servers | |
resource "aws_security_group_rule" "zk_leader_election_egress" { | |
type = "egress" | |
from_port = 3888 | |
to_port = 3888 | |
protocol = "tcp" | |
security_group_id = "${aws_security_group.zookeeper_server_sg.id}" | |
self = true | |
} | |
##### mesos slaves SG rules | |
# inbound connections from the mesos master | |
resource "aws_security_group_rule" "mesos_slave_ingress_mesos_master" { | |
type = "ingress" | |
from_port = 5051 | |
to_port = 5051 | |
protocol = "tcp" | |
security_group_id = "${aws_security_group.mesos_slave_sg.id}" | |
source_security_group_id = "${aws_security_group.mesos_master_sg.id}" | |
} | |
# egress connections to the ZK server | |
resource "aws_security_group_rule" "mesos_slave_egress_zk_server" { | |
type = "egress" | |
from_port = 2181 | |
to_port = 2181 | |
protocol = "tcp" | |
security_group_id = "${aws_security_group.mesos_slave_sg.id}" | |
source_security_group_id = "${aws_security_group.zookeeper_server_sg.id}" | |
} | |
# egress connections to the mesos master | |
resource "aws_security_group_rule" "mesos_slave_egress_mesos_master" { | |
type = "egress" | |
from_port = 5050 | |
to_port = 5050 | |
protocol = "tcp" | |
security_group_id = "${aws_security_group.mesos_slave_sg.id}" | |
source_security_group_id = "${aws_security_group.mesos_master_sg.id}" | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment