// security group:
virtual firewall at instance level
========
- inbound rulle
- outbound rule
- no deny rules. all traffic blocked by ddefault unless a rule specifically allow it
- multiple instances across multiple subnet can belong to security group
=========
- bs specify /32 atau specific ip adress
sg web app -> db via ip
- bs specify another sec group
sg web app -> db via sec group
- instance bs diapply multiple security group ( nest ). rulenya jadi permisive.
awalnya deny trs di apply sec group k2 allow. jadi allow
=========
// sec group limit
can have up to 10k sec group in region. // default 2500
can have 60 inbound rule and 60 outboundd rule per sec group
16 sec group per elastic network interface ( default is 5 )
========
- firewall at instance level
- sec group are stateful. // if traffic is allowed inbound, it is also allowed outbound
- unless allow spec, all inbound traffic is blocked by default
- all outbound traffic from the instance is allowed by default
- source specify can be either ip range, single ip addr or another sec group
- any changes effect immediate
- ec2 instances can belong to multiple sec group
- sec group can contain multiple ec2 instance
- ga bs block specific ip via sec group
No comments:
Post a Comment