要約

Why Elastic agents provide flexibility and cost savings, default networking settings may not comply with security standards. This article talks about how to use Elastic agents but avoid exposing ports in both Bamboo and elastic agent EC2 instance.

環境

Applicable to all supported versions. Pre-reqs:

• Both Bamboo and agents should run in AWS
• Bamboo server and agent EC2 instances should run in the same VPC (using a different VPC is possible, though access to Bamboo server instance should be configured).

ソリューション

As known, when starting an elastic agent, Bamboo launches an EC2 instance in which an elastic agent starts a tunnel server, and waits for 2 connections: http and jms traffic. When EC2 instance is reported as running, Bamboo will initiate a secure tunnel connection to EC2 instance public IP and port 26224. To change this behavior, it is possible to disable tunneling and force elastic agents use private IP of Bamboo server instance.

Disable tunneling

To disable tunneling, add the following properties to JVM_SUPPORT_RECOMMENDED_ARGS to ${BAMBOO_INSTALL_DIR}/bin/setenv.sh (bat for Windows).  After adding a new property, Bamboo server needs to be restarted.

-Dbamboo.ec2.tunnel.enabled=false -Dbamboo.ec2.tunnel.jms.enabled=false

Configure Bamboo server http(s) endpoint

When an elastic agent starts it reaches out to Bamboo server either using Bamboo baseURL or URL configured in bamboo.ec2.agent.endpoint property (if set in JVM_SUPPORT_RECOMMENDED_ARGS in ${BAMBOO_INSTALL_DIR}/bin/setenv.sh (bat for Windows)).

Depending on networking setup and security policies, it's possible to configure bamboo.ec2.agent.endpoint either to an external ALB URL or a URL with a private IP of Bamboo server EC2 instance. Please, note that if Bamboo runs on the default connector, setting http://$PRIVATE_IP:8085 will result in using a plaintext connection, although in the VPC (it is up to an organization to decide whether it is a considerable security threat)

-Dbamboo.ec2.agent.endpoint=http://${BAMBOO_SERVER_EC2_PRIVATE_IP}:8085

Odds are that ALB is used already and set to Bamboo baseURL. If this is the case, this step is optional. You can check (and change) your baseURL in Bamboo settings > Overview.

After adding a new property, Bamboo server needs to be restarted.

Configure Bamboo server JMS endpoint

After an elastic agent establishes connection to Bamboo server and downloads required files, Bamboo server shares its jms broker client uri. An elastic agent will use it to establish JMS connection. Thus, host:port in this uri should be accessible to elastic agents. You can check/edit jms broker client uri in Bamboo settings > Overview or directly in ${BAMBOO_HOME}/bamboo.cfg.xml:

<property name="bamboo.jms.broker.client.uri">failover:(ssl://${BAMBOO_SERVER_EC2_PRIVATE_IP}:54663?wireFormat.maxInactivityDuration=300000&amp;socket.verifyHostName=false)?initialReconnectDelay=15000&amp;maxReconnectAttempts=10&amp;initialReconnectDelay=15000</property>

The above example uses ssl protocol which is highly recommended. Please, note that in this case, jms broker uri must use ssl protocol too:

<property name="bamboo.jms.broker.uri">ssl://0.0.0.0:54663?transport.enabledProtocols=TLSv1.2&amp;wireFormat.maxInactivityDuration=300000</property>

Changes to both broker and client uri require Bamboo server restart.

Configure security group for Bamboo server EC2

Now that tunneling is disabled, http(s) and JMS endpoints are set and Bamboo server restarted, security group(s) attached to Bamboo server EC2 instance need to allow inbound traffic to:

• 54663/tcp - JMS connection originating from elastic instances
• 8085/tcp or a different port if Bamboo is listening on a different port (also originating from elastic instances). This is optional if using ALB URL.

It is possible to restrict inbound connections to those originating from the same VPC only or have more permissive rules, depending on the existing networking setup and security requirements.

While Bamboo will still create/modify a security group attached to elastic instances (called elasticbamboo), nothing will listen on port 26224 in EC2 elastic instances as tunneling has been disabled. Besides, it is possible to filter this port with a more restrictive ACL.