你好,
如果正在配置一个EC2实例(serverA(,该实例在端口8000上接收来自少数尚未配置的EC2实例的TCP流量(serverB、serverC等(,那么在serverA上配置安全组的最佳做法是什么?
Security group: serverA_sg
Source: CIDR block that encompass serverB/C and any future instances of the same type
Port range: 8000
CIDR block would have to be at least /24 due to the fluidity of the environment.
或
Security group: serverA_sg
Source: serverA_sg
Port range: 8000
Then assign "serverA_sg" to serverB/C when they are provisioned? I assume the negative here is that the "client" instances will also then be available on 8000.
还是其他什么?
谢谢!
您已经非常接近第二个选项了。最佳做法是:
Rule1:
Security group: serverA_sg
Source: serverB_sg
Port range: 8000
Rule2:
Security group: serverA_sg
Source: serverC_sg
Port range: 8000
然后分配";服务器B_ sg";分配给服务器B;服务器C_sg";到服务器C。
VPC中的最佳实践是使用安全组引用而不是CIDR块。每个服务器逻辑组都应该有自己独立的安全组,以准确控制打开的端口,并允许在不影响其他服务器组的情况下更改该组中允许的端口。