- AWS Certified Advanced Networking:Specialty Exam Guide
- Marko Sluga
- 445字
- 2021-06-24 14:14:54
Security groups
The primary layer of defense for our instances is the security group. When creating new instances, we will always need to assign a security group to the EC2 instance's primary network adapter or any other ENI that we connect to the instance. The security group acts like a personal stateful firewall protecting each ENI with the security group rules that we assign to it. The security group has stateful port filtering capabilities and allows both the traffic coming into a certain port defined in a rule as well as any return traffic.
For example, a typical modern Linux-based web server would require access to the SSH console on port 22 and to HTTP/HTTPS on ports 80 and 443. To allow access to this server, we would simply create one or more security groups with the appropriate rules that would allow access on ports 22, 80, and 443. We would then assign the security group(s) to the instance, thus allowing access.
For the source, we can specify either IP ranges or other security groups. Specifying security groups is good practice as it allows much easier management as they will be dynamically applied to any instance that has the security group assigned, no matter what subnet the instance is started on.
If we needed to scale the application to multiple instances, we would simply assign the same security groups to them, and the services running on those instances would become accessible on the ports defined in the policy within the group.
Since all inbound ports are implicitly denied by default, all other ports would not be accessible. All outgoing traffic is allowed by the security group by default.
Another best practice is to specify security groups in the incoming rules of other security groups. The security groups are designed as follows:
- A: Allows access from the internet to the public IP of the ELB
- B: Allows access from only the load balancer security group to the web service security group
- C: Allows access from the web service security group to the database service security group:

However, there are some limitations in regards to security groups. An ENI of an instance can be a member of only five security groups. We can have multiple ENIs attached to the instance (the maximum depends on the instance type). If we require more than five security groups to be assigned to an instance, we can open a request on AWS support to raise this limit to up to 16. This will not affect the maximum number of security group rules as that is always set at 300, no matter how many security groups we are attaching to an ENI.
- 機(jī)器學(xué)習(xí)實(shí)戰(zhàn):基于Sophon平臺(tái)的機(jī)器學(xué)習(xí)理論與實(shí)踐
- Creo Parametric 1.0中文版從入門到精通
- 工業(yè)機(jī)器人操作與編程
- 從零開(kāi)始學(xué)PHP
- 簡(jiǎn)明學(xué)中文版Photoshop
- PowerMill 2020五軸數(shù)控加工編程應(yīng)用實(shí)例
- 無(wú)人駕駛感知智能
- 工業(yè)機(jī)器人集成應(yīng)用
- 30天學(xué)通Java Web項(xiàng)目案例開(kāi)發(fā)
- RealFlow流體制作經(jīng)典實(shí)例解析
- PostgreSQL 10 High Performance
- 傳感技術(shù)基礎(chǔ)與技能實(shí)訓(xùn)
- 微計(jì)算機(jī)原理及應(yīng)用
- Learning OpenShift
- 運(yùn)動(dòng)控制器及數(shù)控系統(tǒng)的工程應(yīng)用