将EC2安全组限制为Elastic Beanstalk实例 [英] Restrict EC2 security group to Elastic Beanstalk instances

问题描述

我将MongoDB部署在EC2实例中，非常稳定。我（希望）很快将使用Docker启动我的Elastic Beanstalk负载平衡Web应用程序。但是，我觉得我的数据库对dockerize或beastalk-ize过于敏感，因此我想将其保存在普通的EC2实例中。

I have my MongoDB deployed in an EC2 instance, nice and steady. I will (hopefully) have my Elastic Beanstalk load-balanced Web App launched soon using Docker. However, I feel like my Database is too sensitive to dockerize or beastalk-ize, so I wanna keep it in a plain EC2 instance.

我的问题是关于安全性组。如何创建仅接受来自Elastic Beanstalk的MongoDB通信（端口27017）的安全组？由于EC2实例将被任意创建和销毁，也许我可以获得其中最不常见的子网？

My issue is with regard to the security groups. How can I create a security group that will only accept MongoDB traffic (port 27017) from the Elastic Beanstalk? Since EC2 instances will get created and destroyed arbitrarily, maybe I can get the least-common subnet of those?

推荐答案

在创建Elastic Beanstalk应用程序时，您将选择一个安全组来分配给它的EC2实例。

When you create your Elastic Beanstalk application, you will choose a security group to assign to it's EC2 instances.

对于您的MongoDB安全组，在端口27017上允许EB EC2安全组的通信。如果这样做，则只有使用该安全组的EC2实例才能访问MongoDB实例。

For your MongoDB security group, allow traffic on port 27017 for the EB EC2's security group. If done this way, then only EC2 instances using that security group can access the MongoDB instance.

请注意，从EB应用程序的EC2实例访问MongoDB实例时，请确保您使用的是MongoDB实例的私有IP地址，而不是公共IP地址。如果您使用公共IP地址，则AWS不会将连接识别为源自EB安全组，并将拒绝该连接。

Note, when accessing your MongoDB instance from your EB app's EC2 instance, makes sure you use the private IP address of the MongoDB instance, and not the public IP address. If you use the public IP address, then AWS doesn't recognize the connection as originating from the EB security group and will deny the connection.

这篇关于将EC2安全组限制为Elastic Beanstalk实例的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！