Comments on: Security Groups – Most Underappreciated Feature of Amazon EC2

By: Dmitriy

Dmitriy — Thu, 24 Sep 2009 00:08:59 +0000

Thanks Yan, I totally forgot. I even modified my ec2kill to only kill instances with my security group so that I couldn’t kill others’ instances by accident (at work we share a set of credentials among several people for development purposes).

By: Yan

Yan — Wed, 23 Sep 2009 20:38:48 +0000

You forgot to mention your inventive usage of SG’s as impromptu tags. When running many images, and sharing an EC2 account with other coworkers, it may be advantageous to ‘tag’ your instance with a SG such as started-by-bob so that everyone knows by looking at an instance’s SG who launched it, and that it should not be brought down

By: Dmitriy

Dmitriy — Wed, 23 Sep 2009 15:25:13 +0000

Thanks.

Re performance impact – absolutely should be explored. I personally don’t think it would be too noticeable in practice, but exact measurements won’t hurt.

Re shortfalls – I agree it’s a tradeoff. I also am curious how other IaaS clouds will make this tradeoff – will they choose to deliver more firewall features than EC2 or less, what the consequences of this could be and whether this would lead to a features race between clouds.

BTW, many kudos for A6 stuff you’re doing – hugely important methinks.

- Dmitriy

By: Christofer Hoff

Christofer Hoff — Tue, 22 Sep 2009 20:24:45 +0000

Good write-up, Dmitriy.

The shortfalls you’ve indicated demonstrate the tradeoff between a mass-marketed “good enough” and socialist-security approach and security.

The performance impact of some of the things on your wishlist are an interesting issue to further explore…

Thanks,

/Hoff

By: Shlomo

Shlomo — Tue, 22 Sep 2009 16:53:30 +0000

Thanks for this nice writeup of security groups.

Another advanced usage of security groups: tagging instances. Here’s my article on that:
http://clouddevelopertips.blogspot.com/2009/06/tagging-ec2-instances-using-security_30.html