Securing the server

Modifying a Security Group

When you create an instance, you must create a Security Group or select an existing Security Group. A Security Group is the Amazon Web Services term for a firewall. Configure the Security Group to allow and deny access to the instance.

When an instance is running, you cannot change the Security Group it belongs to. You can modify the rules of that Security Group, however.

Note:

Amazon says, “A security group defines firewall rules for your instances. These rules specify which incoming network traffic should be delivered to your instance (e.g., accept web traffic on port 80). All other traffic is ignored. You can modify rules for a group at any time. The new rules are automatically enforced for all running instances.”

  1. In the AWS Management Console, in the Navigation pane, click Security Groups.

  2. Select the Security Group to modify. The rules for the Security Group are displayed in the lower pane.

  3. To add a rule, provide the following information and click Save:

    • Protocol

      This menu contains a list of protocols and the ports they most commonly use. For example, HTTP uses port 80. The RTMP protocol is not included in this list. To add it, select Custom and enter 1935 for the From Port and To Port.

    • From Port

      This is the low number in a range. To open a single port, use the same value for the From Port and To Port.

    • To Port

      This is the high number in a range. To open a single port, use the same value for the From Port and To Port.

    • Source (IP or Group).

    Note:

    From the Amazon documentation: To allow access from other instances in a security group, enter the security group name in the Connection Source field.To configure this rule to apply to an IP address range, enter the CIDR range. For example, enter 0.0.0.0/0 to allow all IP addresses to access the specified port range. Enter an IP address or subnet to limit access to that one computer or network, for example 92.23.32.51/32.

    Add rules to the Security Group

By default, Adobe Media Server is configured to use the following ports and protocols to stream media. Define the following ports in a Security Group:

Connection method

Protocol

Port

Description

HTTP

TCP

80

By default, Flash Player and AIR clients that cannot connect to Adobe Media Server over port 1935 attempt to tunnel over port 80 (RTMPT).

If Apache is installed and enabled, HTTP requests made over port 80 are proxied to Apache over port 8134.

All

TCP

1935

By default, Flash Player and AIR clients make RTMP connections to Adobe Media Server over port 1935/TCP.

To communicate with Adobe Media Server over the RTMP protocol, clients attempt to connect to ports in the following order: 1935, 80 (RTMP), 80 (RTMPT).

All

UDP

1935

The RTMFP protocol communicates over UDP. Clients connect to the server over 1935 and the server redirects the client to a port between 19350 and 19360.

To change the default RTMFP port range, edit the Adaptor/RTMFP/Core/HostPortList/HostPort element in the Adaptor.xml Configuration files.

SSH

TCP

22

Allows you to connect to an instance over SSH to copy files, manage logs and configuration files, and so on.

To configure additional ports for streaming, add the ports to the Security Group and add the ports to the Adobe Media Server configuration files. See Configure IP addresses and ports in Adobe Adobe Media Server Configuration and Administration Guide.

Additional security resources

For detailed information about securing your instance, see the Adobe Media Server Hardening Guide.

For more information about securing the server, see Configuring security features in the Adobe Media Server Configuration and Administration Guide.

Learn more about Amazon Web Services Network Security Concepts and Using Security Groups.