EC2 安全组中的禁止规则不会影响已建立的 MongoDB 连接
Disallowing rule in EC2 security group is not affecting already-established MongoDB connections
是这样的:
- 实例
X 能够连接到 TCP 端口 27017 上的实例 Y(EC2 安全组允许)
X 有 mongo shellY 有 MongoDB 运行,正在端口 27017X 的连接
- 从
X,使用 mongo shell 连接到 Y 上的数据库实例
- 从
X 上的 mongo shell 会话,从 Y 查询并插入到 Y。一切顺利。
- 更改
Y 的安全组:删除 #1 中提到的端口 27017 的规则
X 仍然可以查询 from/insert 到 Y 上托管的数据库。这不是预期的。- 在
X 上退出 mongo shell 会话
- 再次尝试第 4 步失败。这是正常的和预期的。
预计 EC2 网络防火墙将终止违反规则(安全组策略)的连接。
你能解释一下上面#7 是怎么发生的吗?以及如何避免这种情况(因此 X 无法对 Y 做任何事情)?
谢谢。
Expectation is that EC2 network firewall will terminate connections
that violate the rules
你在这里做一个假设。这可能是您对它应该如何工作的期望,但它在官方 AWS 文档中的哪个位置有备份?我建议阅读文档,而不是假设这将如何工作。
An existing flow of traffic that is tracked may not be interrupted
when you remove the security group rule that enables that flow.
Instead, the flow is interrupted when it's stopped by you or the other
host for at least a few minutes (or up to 5 days for established TCP
connections). For UDP, this may require terminating actions on the
remote side of the flow. An untracked flow of traffic is immediately
interrupted if the rule that enables the flow is removed or modified.
For example, if you remove a rule that allows all inbound SSH traffic
(0.0.0.0/0) to the instance, then your existing SSH connections to the
instance are immediately dropped.
If you want to ensure that traffic is immediately interrupted when you
remove a security group rule, you can use a network ACL for your
subnet — network ACLs are stateless and therefore do not automatically
allow response traffic. For more information, see Network ACLs in the
Amazon VPC User Guide.
是这样的:
- 实例
X能够连接到 TCP 端口27017上的实例Y(EC2 安全组允许) X有 mongo shellY有 MongoDB 运行,正在端口27017 上接受来自 - 从
X,使用 mongo shell 连接到Y 上的数据库实例
- 从
X上的 mongo shell 会话,从Y查询并插入到Y。一切顺利。 - 更改
Y的安全组:删除 #1 中提到的端口 X仍然可以查询 from/insert 到Y上托管的数据库。这不是预期的。- 在
X 上退出 mongo shell 会话
- 再次尝试第 4 步失败。这是正常的和预期的。
X 的连接
27017 的规则
预计 EC2 网络防火墙将终止违反规则(安全组策略)的连接。
你能解释一下上面#7 是怎么发生的吗?以及如何避免这种情况(因此 X 无法对 Y 做任何事情)?
谢谢。
Expectation is that EC2 network firewall will terminate connections that violate the rules
你在这里做一个假设。这可能是您对它应该如何工作的期望,但它在官方 AWS 文档中的哪个位置有备份?我建议阅读文档,而不是假设这将如何工作。
An existing flow of traffic that is tracked may not be interrupted when you remove the security group rule that enables that flow. Instead, the flow is interrupted when it's stopped by you or the other host for at least a few minutes (or up to 5 days for established TCP connections). For UDP, this may require terminating actions on the remote side of the flow. An untracked flow of traffic is immediately interrupted if the rule that enables the flow is removed or modified. For example, if you remove a rule that allows all inbound SSH traffic (0.0.0.0/0) to the instance, then your existing SSH connections to the instance are immediately dropped.
If you want to ensure that traffic is immediately interrupted when you remove a security group rule, you can use a network ACL for your subnet — network ACLs are stateless and therefore do not automatically allow response traffic. For more information, see Network ACLs in the Amazon VPC User Guide.