简体繁体 English

为什么不使用直接 IP 而是使用安全组？

[英]Why not using the direct IP but Security Group instead?

原文 2023-01-08 18:46:30 7 2 amazon-web-services/ cloud/ amazon-elb

I was doing the question in the image below and the right answer blew my mind:我正在做下图中的问题，正确的答案让我大吃一惊：

I my opinion putting the ALB IP address would work, but the right question answer suggests that I should put ALB to a security group and say to the target instance that ALB'S security group is the source.我认为放置 ALB IP 地址会起作用，但正确的问题答案表明我应该将 ALB 放入安全组并告诉目标实例 ALB 的安全组是源。

Why?为什么？ Is it related to the fact that the target instance is inside a VPC?与目标实例在 VPC 内有关吗？

I answer the question thinking that just put the ALB IP as source would be the correct answer.我回答这个问题时认为只要将 ALB IP 作为源就是正确的答案。

2 个解决方案

First, 192.168.0.0/10 is not the ALB IP Address, but rather the CIDR block of the entire VPC.首先， 192.168.0.0/10 /10并不是ALB IP Address，而是整个VPC的CIDR block。

Second, even if the actual ALB IP address were among the answers, it wouldn't be the best answer.其次，即使实际的 ALB IP 地址在答案中，它也不是最佳答案。 The docs explain why: 文档解释了原因：

The IP addresses for Classic Load Balancers and Application Load Balancers change over time. Classic Load Balancer 和 Application Load Balancer 的 IP 地址随时间变化。 Avoid using this information to statically configure your applications to point to these IP addresses.避免使用此信息静态配置您的应用程序以指向这些 IP 地址。

Whitelisting the VPC CIDR would effectively mean whitelisting the entire IP range defined by the CIDR, which could possibly include resources other than the load balancer.将 VPC CIDR 列入白名单实际上意味着将 CIDR 定义的整个 IP 范围列入白名单，其中可能包括负载均衡器以外的资源。

Since the question is asking how to ensure that only traffic coming from the load balancer is allowed, then the right answer is indeed allowing the security group associated with the load balancer.既然问题是问如何确保只允许来自负载均衡器的流量，那么正确的答案确实是允许与负载均衡器关联的安全组。