A word of warning, this is for demonstration purposes only! To avoid introducing security vulnerabilities to your ECS instances, review the Security Group (SG) changes carefully when considering similar changes mentioned in this post.
Configure Security Group for connecting ECS
Before you start ...
- Enable SG to allow port 1433 ( or whatever port the application is using)
- This is assuming your ECS instances is in a public sub network (has public IP)
- You will need to have the credentials for your SQL user
Security Group - Application server
Below shows the Security Group configurations for the application server hosting applications on port 443 and 80. Port 443 and 80 are standard globally exposed ports for HTTPS and HTTP respectively (web browsers by default use these port for HTTP).
Note: Port 22 is only needed for SSH, you only need this if you plan to remote into the ECS server using SSH clients. By default all outbound traffic is 'Allow' and all inbound traffic to ECS is 'Forbid'.
Security Group - Database server
Below shows the Security Group configurations for the database server hosting MSSQL on port 1433. The Security Group exposes port 1433 for inbound traffic for the IP of the application server ECS instance. This will allow the application server to communicate with the database server on port 1433.
In this demo, the application server and database server are on the same VPC. The below Security Group will also work for if you have the application server on a public sub-network and database server on a private sub-network. Port 22 is not needed and is shown for demo purposes only!
Configuring MSSQL server
To enable remote connections to the Microsoft SQL database server, check that the SQL server has remote connections enabled. By default, MSSQL uses port 1433, but if you use a different port, make sure that the port is forwarded in the Security Groups for remote connections.
Note: You do NOT need to configure remote SQL connections if you do not intend to connect to the DB. remotely. This is for demo purposes only, connections from the application ECS server instance does not require remote SQL connections.
You should be able to connect to the SQL DB. with a SQL user configured for remote connections from anywhere. Once you are done with MSSQL remote connections, it is best practice to remove any port forwarding that is not used from your Security Group and disable remote connections to the database.