Installing Ansible Automaton Platform on AWS part 1 - Security Groups

We are going to do a series of posts on installing Ansible Automation Platform on private, non connected, hardened AWS platform. I found that there were a lot of variables to consider deploying AAPv2 and to find all the pieces required way too many KB articles, searching for random tidbits of info, and just piecing everything together. So learn from my mistakes and hopefully your deployment goes a lot smoother.

Before we get started, this is not intended to be a step by step guide. I will assume you know how to create AWS infrastructure, manage RHEL servers, other basic level administrator tasks, and understand the basic parts of Ansible Automation Platform.

Lets begin by configuring our security groups since without them we wont be able to talk to our various services in AWS. Before you get started keep in mind most of these ports can be customized if that is required to meet your security requirements.

Automation Controller

SSH (22) to all nodes that are part of AAP.
http(s) (80/443) from all places you may access the web page. Since AWS uses ELBs they really only need it open the ELB and the ELB needs to be open to the end users. As a side note, we don’t use http so its only allowed inside the ELB.
PostgreSQL (5432) to the RDS instance

Execution Nodes

These are new to AAPv2. If you’re used to AAPv2 these are part controller node and replace isolated nodes. I suggest reading up on the Automation Mesh.

SSH (22) to the controller nodes and other execution nodes
receptor port (27119) to all execution nodes. This will include controller nodes.

Database

PostgreSQL (5432) to the RDS instance
SSH (22) If you aren’t using RDS and instead are using a server you will need this too.

Automation Hub

SSH (22) to the controller nodes
http(s) (80/443) to the controller & execution nodes. Also to the ELBs for users to access.
PostgreSQL (5432) to the RDS instance.
NFS (2049) If you’re going to use a clustered Automation Hub you need NFS too.

Bonus: Tools server

I highly recommend setting up a tools server. This would be the actual node you execute the install from. I ran into issues trying to use the server I ran the install from to also be part of the AAP environment. Most people I’ve talked to also ran into this issue. Save yourself the headache.

SSH (22) to all servers that you will install AAPv2 on.

Security groups

Your corporate policy will dictate how you break this down. If you can use one group or if each component needs its own group is up to you and your cyber security team. I’ve attached an image of one security group containing all the rules + ICMP traffic allowed from anywhere.