如果我没有在 EB 环境的入站规则中指定其安全组，流量是否会跳过我的 AWS ELB? [英] Does traffic skip my AWS ELB if I don't specify its security group in my EB environment's inbound rules?

问题描述

我有一个使用 Elastic Load Balancer 创建的 AWS Elastic Beanstalk 环境，它指定默认 ELB 安全组(ELB 创建的安全组在 ELB 创建期间未指定安全组时使用")作为入站源HTTP.

I have an AWS Elastic Beanstalk environment that is created with an Elastic Load Balancer, and which specifies the default ELB security group ("ELB created security group used when no security group is specified during ELB creation") as the source for inbound HTTP.

如果我将此默认 ELB 安全组替换为具有端口范围的环境安全组入站规则的来源，则流量

If I replace this default ELB security group as the source for my environment's security group's inbound rules with a port range does traffic

• 仍然通过 ELB 是吗
• 仍被 ELB 的安全组规则过滤

还是流量然后跳过"ELB(或至少它的安全组)并直接进入我的实例?

or does traffic then "skip" the ELB (or at least it's security group) and come directly to my instances?

推荐答案

听起来您似乎将网络路由的概念与防火墙规则混淆了.安全组不会影响流量的定向.

It sounds like you're confusing the concept of network routing with firewall rules. The security groups will not effect where traffic is directed.

网络路由:

• DNS 设置会将流量定向到您的 ELB.
• ELB 配置会将其接收到的流量汇集到向其注册的 EC2 实例.

安全组:

• 您的 ELB 和EC2 实例具有分配给它们的安全组.无论将流量定向到那里的网络路由规则是什么，防火墙都会询问我是否允许通过端口 X 来自 a.b.c.d/R 的流量?"

所以回答你的问题:

是的，您可以更新 EB 环境的安全组以允许来自 ELB 的流量.这样做不会影响 ELB 将流量导向的位置.

Yes, you can update the security group of your EB environment to allow traffic from an ELB. Doing so will not impact where that ELB will direct traffic.

是的，如果您使用的网络路由先将流量发送到 ELB，然后再发送到 EC2 实例，则流量必须满足 ELB 安全组的要求EC2 实例的安全组.如果您的实例位于私有子网中，则从外部端点启动时无法跳过 ELB.如果 EC2 实例位于公有子网中，则在您的防火墙规则允许的情况下，用户可以直接访问您的实例.

Yes, if the network routing you have in place sends traffic first to an ELB and then to an EC2 instance, the traffic must meet the requirements of the ELB's security group & the EC2 instance's security group. If your instances are in a private subnet, the ELB cannot be skipped when starting from an external endpoint. If the EC2 instances are in a public subnet, a user could access your instance directly if your firewall rules allow it.

但是，我非常怀疑您认为这里会发生一些不会发生的事情.我敦促你阅读网络.一个好的起点是 VPC 文档 (http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenarios.html).通过场景了解每个组件的作用是什么.

However, I highly suspect that you're thinking something is going to happen here that won't. I urge you to read up networking. A good starting spot would be the VPC documentation (http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenarios.html). Work through the scenarios to understand what the role of each component is.

这篇关于如果我没有在 EB 环境的入站规则中指定其安全组，流量是否会跳过我的 AWS ELB?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！