R2R Security Group and Firewall Configuration Guide

Proper security group and firewall configuration is crucial for securing your R2R deployment while ensuring necessary services remain accessible. This guide covers configurations for both cloud environments and local deployments.

Cloud Environments (AWS, Azure, GCP)

AWS Security Groups

  1. Create a new security group for your R2R deployment:
aws ec2 create-security-group --group-name R2R-SecurityGroup --description "Security group for R2R deployment"
  1. Configure inbound rules:
# Allow SSH access (restrict to your IP if possible)
aws ec2 authorize-security-group-ingress --group-name R2R-SecurityGroup --protocol tcp --port 22 --cidr 0.0.0.0/0

# Allow access to R2R API
aws ec2 authorize-security-group-ingress --group-name R2R-SecurityGroup --protocol tcp --port 7272 --cidr 0.0.0.0/0

# Allow access to R2R Dashboard
aws ec2 authorize-security-group-ingress --group-name R2R-SecurityGroup --protocol tcp --port 8001 --cidr 0.0.0.0/0

# Allow access to Hatchet Dashboard
aws ec2 authorize-security-group-ingress --group-name R2R-SecurityGroup --protocol tcp --port 8002 --cidr 0.0.0.0/0

# If using Neo4j browser interface
aws ec2 authorize-security-group-ingress --group-name R2R-SecurityGroup --protocol tcp --port 7474 --cidr 0.0.0.0/0

Azure Network Security Groups

  1. Create a new Network Security Group:
az network nsg create --name R2R-NSG --resource-group YourResourceGroup --location YourLocation
  1. Add inbound security rules:
# Allow SSH access
az network nsg rule create --name AllowSSH --nsg-name R2R-NSG --priority 100 --resource-group YourResourceGroup --access Allow --direction Inbound --protocol Tcp --source-address-prefixes '*' --source-port-ranges '*' --destination-address-prefixes '*' --destination-port-ranges 22

# Allow R2R API access
az network nsg rule create --name AllowR2RAPI --nsg-name R2R-NSG --priority 200 --resource-group YourResourceGroup --access Allow --direction Inbound --protocol Tcp --source-address-prefixes '*' --source-port-ranges '*' --destination-address-prefixes '*' --destination-port-ranges 7272

# Allow R2R Dashboard access
az network nsg rule create --name AllowR2RDashboard --nsg-name R2R-NSG --priority 300 --resource-group YourResourceGroup --access Allow --direction Inbound --protocol Tcp --source-address-prefixes '*' --source-port-ranges '*' --destination-address-prefixes '*' --destination-port-ranges 8001

# Allow Hatchet Dashboard access
az network nsg rule create --name AllowHatchetDashboard --nsg-name R2R-NSG --priority 400 --resource-group YourResourceGroup --access Allow --direction Inbound --protocol Tcp --source-address-prefixes '*' --source-port-ranges '*' --destination-address-prefixes '*' --destination-port-ranges 8002

Google Cloud Platform Firewall Rules

  1. Create firewall rules:
# Allow SSH access
gcloud compute firewall-rules create allow-ssh --direction=INGRESS --priority=1000 --network=default --action=ALLOW --rules=tcp:22 --source-ranges=0.0.0.0/0

# Allow R2R API access
gcloud compute firewall-rules create allow-r2r-api --direction=INGRESS --priority=1000 --network=default --action=ALLOW --rules=tcp:7272 --source-ranges=0.0.0.0/0

# Allow R2R Dashboard access
gcloud compute firewall-rules create allow-r2r-dashboard --direction=INGRESS --priority=1000 --network=default --action=ALLOW --rules=tcp:8001 --source-ranges=0.0.0.0/0

# Allow Hatchet Dashboard access
gcloud compute firewall-rules create allow-hatchet-dashboard --direction=INGRESS --priority=1000 --network=default --action=ALLOW --rules=tcp:8002 --source-ranges=0.0.0.0/0

Local Deployments

For local deployments, you’ll need to configure your operating system’s firewall. Here are instructions for common operating systems:

Ubuntu/Debian (UFW)

# Allow SSH
sudo ufw allow 22/tcp

# Allow R2R API
sudo ufw allow 7272/tcp

# Allow R2R Dashboard
sudo ufw allow 8001/tcp

# Allow Hatchet Dashboard
sudo ufw allow 8002/tcp

# If using Neo4j browser interface
sudo ufw allow 7474/tcp

# Enable the firewall
sudo ufw enable

CentOS/RHEL (firewalld)

# Allow SSH
sudo firewall-cmd --permanent --add-port=22/tcp

# Allow R2R API
sudo firewall-cmd --permanent --add-port=7272/tcp

# Allow R2R Dashboard
sudo firewall-cmd --permanent --add-port=8001/tcp

# Allow Hatchet Dashboard
sudo firewall-cmd --permanent --add-port=8002/tcp

# If using Neo4j browser interface
sudo firewall-cmd --permanent --add-port=7474/tcp

# Reload firewall
sudo firewall-cmd --reload

Windows (Windows Firewall)

  1. Open Windows Defender Firewall with Advanced Security
  2. Click on “Inbound Rules” and then “New Rule”
  3. Choose “Port” and click “Next”
  4. Select “TCP” and enter the specific ports (22, 7272, 8001, 8002, 7474 if using Neo4j browser)
  5. Choose “Allow the connection” and click “Next”
  6. Apply the rule to all profiles (Domain, Private, Public)
  7. Give the rule a name (e.g., “R2R Ports”) and click “Finish”

Best Practices

  1. Least Privilege: Only open ports that are absolutely necessary.
  2. IP Restrictions: When possible, restrict access to known IP addresses or ranges.
  3. Use VPN: For added security, consider using a VPN for accessing administrative interfaces.
  4. Regular Audits: Periodically review and update your security group and firewall rules.
  5. Monitoring: Implement logging and monitoring for all allowed ports.
  6. HTTPS: Use HTTPS for all web interfaces and APIs when possible.

Verifying Configuration

After setting up your firewall rules, verify that the necessary ports are open:

# For Linux systems
nmap -p 22,7272,8001,8002,7474 your_server_ip

# For Windows systems (requires nmap installation)
nmap -p 22,7272,8001,8002,7474 your_server_ip

This should show the status of each port (open or closed).

Remember to adjust these configurations based on your specific deployment needs and security requirements. Always follow your organization’s security policies and best practices.

Was this page helpful?

Insufficient resourcesPort conflicts