什么都可以在AWS安全组相关联的资源？ [英] What are all the resources that can be associated with a security group in AWS?

问题描述

在AWS文档几乎无用试图描述一个完整的系统的时候。是否有任何资源或全部资源的汇总列表，可以属于一个安全组和不同类型的安全组的？

The AWS docs are almost useless when trying to describe an entire system. Is there any resource or compiled list of all the resources that can belong to a security group and the different types of security groups?

下面是我到目前为止有：

Here is what I have so far:

• 在EC2-经典实例
• 在EC2-VPC实例
• RDS
• ElasticCache

还有什么我失踪？任何真正好的文档资源我失踪？

Anything else I'm missing? Any really good doc resource I'm missing?

推荐答案

主要的概念来理解有关的AWS安全组是它决定哪些流量被允许进/出资源的虚拟网络上

The main concept to understand about an AWS Security Group is that it determines what traffic is permitted in/out of a resource on a virtual network.

因此​​，思考什么可以发射到虚拟网络：

Therefore, think about what can be launched "into" a virtual network:

• 在亚马逊EC2实例

• 这是推出的EC2实例服务：

• Amazon EC2 instances

• Services that launch EC2 instances:

• 在AWS弹性魔豆
• 在亚马逊弹性麻preduce

使用EC2实例（没有直接在EC2服务出现）服务项目：

Services that use EC2 instances (without appearing directly in the EC2 service):

• 在亚马逊RDS（关系型数据库服务）
• 在亚马逊红移
• 在亚马逊ElastiCache
• 在亚马逊CloudSearch

弹性负载均衡

资源不属于安全组。相反，一个或多个安全组相关联的资源。这通常是一个困难的概念来理解，因为安全组具有类似能力的防火墙和防火墙通常包住多个设备。而不是属于，或被包围的，安全组，虚拟网络简单地使用包含在安全组的定义，以确定哪些流量，允许输入/输出资源的。

Resources do not "belong" to a security group. Rather, one or more Security Groups are associated to a resource. This is often a difficult concept to understand since Security Groups have similar abilities to firewalls, and firewalls generally "encase" a number of devices. Rather than "belonging to", or "being encased by", a security group, the virtual network simply uses the definitions contained within a security group to determine what traffic to permit in/out of the resource.

例如，假设有一个网络安全组和安全组被配置为允许端口80上的传入流量，而这两种情况都关联到同一个安全组，他们不能关联的两个EC2实例相互通信。这是因为他们不属于安全组，并且不是范围内的安全组。相反，安全组定义，用于过滤输入/输出的情况下产生的流量。该安全组可以，当然，被配置为允许从安全组本身（自基准），这实际上意味着传入流量是从与安全组相关联的任何资源就是它本身，允许传入流量。 （看，我告诉你，这是一个难以理解的概念把握！）

For example, imagine two EC2 instances that are associated with a "Web" security group and the security group is configured to permit incoming traffic on port 80. While both instances are associated to the same security group, they cannot communicate with each other. This is because they do not "belong" to the security group, and are not "within" the security group. Rather, the security group definition is used to filter traffic in/out of the instances. The security group can, of course, be configured to permit incoming traffic from the security group itself (a self-reference), which really means that incoming traffic is permitted from any resource that is, itself, associated with the security group. (See, I told you that it's a difficult concept grasp!)

此外，安全组实际上与一个VPC内的EC2实例相关联。相反，安全组与 弹性网络接口（ENI相关） 附加到一个EC2实例。想想ENI作为网卡链接实例与VPC子网。一个实例可以有多个埃尼斯，因此可以连接多个子网。每个ENI可以与安全组自己的关联。因此，所使用的实际的安全组取决于其中交通流/出实例，而不是实际上被与实例相关

Also, a security group is not actually associated with an EC2 instance within a VPC. Rather, the security group is associated with the Elastic Network Interface (ENI) that is attached to an EC2 instance. Think of the ENI as a "network card" that links an instance to a VPC subnet. An instance can have multiple ENIs and can therefore connect to multiple subnets. Each ENI can have its own association with security groups. Thus, the actual security groups being used depends upon where the traffic is flow in/out of the instance, rather than actually being associated with the instance.

还有安全组只有两个类型

• 在EC2经典（传统网络配置）
• 在EC2 VPC（现代专用网络配置）

任一类型的安全组可以与任何其他的资源相关联，只要它们是在相同的网络类型（经典或VPC）。

Either type of security group can be associated with any other resource, as long as they are in the same network type (classic or VPC).

这篇关于什么都可以在AWS安全组相关联的资源？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！