- AWS Certified Advanced Networking:Specialty Exam Guide
- Marko Sluga
- 445字
- 2021-06-24 14:14:54
Security groups
The primary layer of defense for our instances is the security group. When creating new instances, we will always need to assign a security group to the EC2 instance's primary network adapter or any other ENI that we connect to the instance. The security group acts like a personal stateful firewall protecting each ENI with the security group rules that we assign to it. The security group has stateful port filtering capabilities and allows both the traffic coming into a certain port defined in a rule as well as any return traffic.
For example, a typical modern Linux-based web server would require access to the SSH console on port 22 and to HTTP/HTTPS on ports 80 and 443. To allow access to this server, we would simply create one or more security groups with the appropriate rules that would allow access on ports 22, 80, and 443. We would then assign the security group(s) to the instance, thus allowing access.
For the source, we can specify either IP ranges or other security groups. Specifying security groups is good practice as it allows much easier management as they will be dynamically applied to any instance that has the security group assigned, no matter what subnet the instance is started on.
If we needed to scale the application to multiple instances, we would simply assign the same security groups to them, and the services running on those instances would become accessible on the ports defined in the policy within the group.
Since all inbound ports are implicitly denied by default, all other ports would not be accessible. All outgoing traffic is allowed by the security group by default.
Another best practice is to specify security groups in the incoming rules of other security groups. The security groups are designed as follows:
- A: Allows access from the internet to the public IP of the ELB
- B: Allows access from only the load balancer security group to the web service security group
- C: Allows access from the web service security group to the database service security group:

However, there are some limitations in regards to security groups. An ENI of an instance can be a member of only five security groups. We can have multiple ENIs attached to the instance (the maximum depends on the instance type). If we require more than five security groups to be assigned to an instance, we can open a request on AWS support to raise this limit to up to 16. This will not affect the maximum number of security group rules as that is always set at 300, no matter how many security groups we are attaching to an ENI.
- 大數據技術與應用基礎
- Word 2000、Excel 2000、PowerPoint 2000上機指導與練習
- Verilog HDL數字系統設計入門與應用實例
- AWS:Security Best Practices on AWS
- JBoss ESB Beginner’s Guide
- 大型數據庫管理系統技術、應用與實例分析:SQL Server 2005
- 網絡綜合布線設計與施工技術
- 精通數據科學算法
- 工業控制系統測試與評價技術
- Implementing AWS:Design,Build,and Manage your Infrastructure
- Learning Linux Shell Scripting
- Moodle 2.0 Course Conversion(Second Edition)
- 51單片機應用程序開發與實踐
- Learning iOS 8 for Enterprise
- 這樣用Word!