AWS 安全组最佳实践

AWS Security Group Best Practice

美好的一天,

如果一个 EC2 实例 (serverA) 从少数尚未配置的 EC2 实例(serverB、serverC 等)接收端口 8000 上的 TCP 流量,那么配置安全组的最佳做法是什么服务器 A?

Security group: serverA_sg
Source: CIDR block that encompass serverB/C and any future instances of the same type
Port range: 8000

CIDR block would have to be at least /24 due to the fluidity of the environment.

Security group: serverA_sg
Source: serverA_sg
Port range: 8000

Then assign "serverA_sg" to serverB/C when they are provisioned? I assume the negative here is that the "client" instances will also then be available on 8000.

或完全不同的东西?

谢谢!

您非常接近第二个选项。最佳做法是:

Rule1:
Security group: serverA_sg
Source: serverB_sg
Port range: 8000

Rule2:
Security group: serverA_sg
Source: serverC_sg
Port range: 8000

然后将“serverB_sg”分配给serverB,将“serverC_sg”分配给serverC。


VPC 内的最佳做法是使用安全组引用而不是 CIDR 块。每个逻辑服务器组都应该有自己独立的安全组,以准确控制打开哪些端口,并允许更改该组中允许的端口而不影响其他服务器组。