Kognitio on AWS Networking

Public and Private IPs

Nodes in AWS usually have two IP addresses - public and a private. The public IP address is the one that can be seen from the Internet, while the private IP is one which can only be reached over a private network. When you connect to the public IP address of a node the connection is going over the internet. When you connect to the private IP address of a node, the connection goes over the private network between the two nodes. This means that in order to use the private address of a node you must either be in the same VPC as that node or have a special private network route set up to connect into that VPC (e.g. a VPN, VPC peering, etc).

Connection filtering

Amazon filters incoming connections to nodes for security. It is advisable to set these filters tightly because nodes have a public internet IP and overly-permissive filters allow unauthorized internet nodes to attempt to connect in (and try to guess passwords, etc). Filtering is done by the IP address a connection is coming from, which means you give Amazon a list of the IP addresses which are allowed to connect to a node. If you are connecting to a node’s public IP address then the connection will come from the public internet IP address of the connecting computer. If you are using a private address then the address the connection comes from depends on the type of peering/VPN/etc being used and the network administrator will supply this information.

Specifying connection filters for the Launcher

When running the launcher’s cloud formation template you need to specify two network filters - the admin IP range and the client IP range. These filters specify the IP addresses which will be allowed to connect to the ssh / launcher ports and the ODBC / JDBC ports respectively. Any nodes launched by the launcher will have the same filters.

Filters are specified using the CIDR IP specification. This is an IP address followed by a /mask value (e.g. 172.30.0.0/16). Briefly the IP address is 4 x 1-byte values separated by dots and the number after the / indicates how many bits of that to use. The other bits are effectively wildcards. So 172.30.0.0/16 is like allowing 172.30.*.* IP addresses while 10.0.0.0/8 is like saying 10.*.*.* .

You can use 0.0.0.0/0 to allow all inbound connections, but this is not a good idea! For a single IP address use /32.

Remember these filters apply to connections from both private and public networks. So if other nodes in your VPC need to be able to connect then the filter needs to allow that. The launcher will always be able to connect to the nodes it launches regardless of these filters. Likewise the nodes in a Kognitio server cluster will be able to connect to each other regardless of the filter specified.

Multiple IP ranges as filters

Amazon allows multiple IP ranges in security groups, but the cloud formation template feature does not allow these to be specified in the template. If you want to have multiple IP ranges you need to launch with one IP range then edit the security groups created by the cloud formation template launcher to put the other IP ranges in yourself.