官术网_书友最值得收藏!

Security groups

The primary layer of defense for our instances is the security group. When creating new instances, we will always need to assign a security group to the EC2 instance's primary network adapter or any other ENI that we connect to the instance. The security group acts like a personal stateful firewall protecting each ENI with the security group rules that we assign to it. The security group has stateful port filtering capabilities and allows both the traffic coming into a certain port defined in a rule as well as any return traffic.

For example, a typical modern Linux-based web server would require access to the SSH console on port 22 and to HTTP/HTTPS on ports 80 and 443. To allow access to this server, we would simply create one or more security groups with the appropriate rules that would allow access on ports 22, 80, and 443. We would then assign the security group(s) to the instance, thus allowing access.

For the source, we can specify either IP ranges or other security groups. Specifying security groups is good practice as it allows much easier management as they will be dynamically applied to any instance that has the security group assigned, no matter what subnet the instance is started on.

If we needed to scale the application to multiple instances, we would simply assign the same security groups to them, and the services running on those instances would become accessible on the ports defined in the policy within the group.

Since all inbound ports are implicitly denied by default, all other ports would not be accessible. All outgoing traffic is allowed by the security group by default.

Another best practice is to specify security groups in the incoming rules of other security groups. The security groups are designed as follows:

  • A: Allows access from the internet to the public IP of the ELB
  • B: Allows access from only the load balancer security group to the web service security group
  • C: Allows access from the web service security group to the database service security group:

However, there are some limitations in regards to security groups. An ENI of an instance can be a member of only five security groups. We can have multiple ENIs attached to the instance (the maximum depends on the instance type). If we require more than five security groups to be assigned to an instance, we can open a request on AWS support to raise this limit to up to 16. This will not affect the maximum number of security group rules as that is always set at 300, no matter how many security groups we are attaching to an ENI.

主站蜘蛛池模板: 恩施市| 稷山县| 蚌埠市| 兴安县| 舟山市| 广州市| 潢川县| 三明市| 高平市| 自治县| 乌鲁木齐县| 神农架林区| 和龙市| 瑞安市| 无极县| 山阳县| 墨脱县| 南汇区| 平利县| 舟山市| 当阳市| 酉阳| 黑龙江省| 剑阁县| 大理市| 班戈县| 吴川市| 丰宁| 垣曲县| 萝北县| 金湖县| 邵东县| 舒城县| 文化| 兰坪| 吐鲁番市| 策勒县| 柘城县| 股票| 兖州市| 修水县|