AWS 安全组最佳实践
AWS Security Group Best Practice
美好的一天,
如果一个 EC2 实例 (serverA) 从少数尚未配置的 EC2 实例(serverB、serverC 等)接收端口 8000 上的 TCP 流量,那么配置安全组的最佳做法是什么服务器 A?
Security group: serverA_sg
Source: CIDR block that encompass serverB/C and any future instances of the same type
Port range: 8000
CIDR block would have to be at least /24 due to the fluidity of the environment.
或
Security group: serverA_sg
Source: serverA_sg
Port range: 8000
Then assign "serverA_sg" to serverB/C when they are provisioned? I assume the negative here is that the "client" instances will also then be available on 8000.
或完全不同的东西?
谢谢!
您非常接近第二个选项。最佳做法是:
Rule1:
Security group: serverA_sg
Source: serverB_sg
Port range: 8000
Rule2:
Security group: serverA_sg
Source: serverC_sg
Port range: 8000
然后将“serverB_sg”分配给serverB,将“serverC_sg”分配给serverC。
VPC 内的最佳做法是使用安全组引用而不是 CIDR 块。每个逻辑服务器组都应该有自己独立的安全组,以准确控制打开哪些端口,并允许更改该组中允许的端口而不影响其他服务器组。
美好的一天,
如果一个 EC2 实例 (serverA) 从少数尚未配置的 EC2 实例(serverB、serverC 等)接收端口 8000 上的 TCP 流量,那么配置安全组的最佳做法是什么服务器 A?
Security group: serverA_sg
Source: CIDR block that encompass serverB/C and any future instances of the same type
Port range: 8000
CIDR block would have to be at least /24 due to the fluidity of the environment.
或
Security group: serverA_sg
Source: serverA_sg
Port range: 8000
Then assign "serverA_sg" to serverB/C when they are provisioned? I assume the negative here is that the "client" instances will also then be available on 8000.
或完全不同的东西?
谢谢!
您非常接近第二个选项。最佳做法是:
Rule1:
Security group: serverA_sg
Source: serverB_sg
Port range: 8000
Rule2:
Security group: serverA_sg
Source: serverC_sg
Port range: 8000
然后将“serverB_sg”分配给serverB,将“serverC_sg”分配给serverC。
VPC 内的最佳做法是使用安全组引用而不是 CIDR 块。每个逻辑服务器组都应该有自己独立的安全组,以准确控制打开哪些端口,并允许更改该组中允许的端口而不影响其他服务器组。