发表新帖
发表新帖

AWS Security Groups - EC2 to RDS

前端 未结
关注
2 1152
忘掉有多难
忘掉有多难 2021-01-02 07:05

I wanted to ask about connecting EC2 to RDP in AWS.

I have added my EC2 Security Group (that contains the EC2 instances) into the Default RDP Group and Data is flowi

相关标签:
2条回答
  • 一个人的身影
    2021-01-02 07:27

    Interested to know more on this as well. In practice I have never noticed "other traffic" getting to the RDS instance. Always assumed it was just the DB port that was allowed through to the RDS instance. Seems a little odd to allow other traffic through, in my opinion.

    Overall, I think it is just the originating security group that is allowed through - it doesn't inherit the rules from the security group you allow.

    I think it is the same as adding ingress from another security group, in that it allows traffic originating from that security group through, but not traffic that just happens to match one of the rules in the security group. (Its different than if you assign a security group to an instance on boot in that all traffic that matches will be allowed: not traffic originating from said security group assigned on bootup).

    Example:

    • SGs:
      • WEB: Allows Port 80
      • DB: Allows DB PORT
      • HQ_ACCESS: Allows Port 22 & 80
      • SOME_OTHER_GROUP: Allows Port 443
    • Instances
      • InstanceA has security groups: WEB, DB, HQ_ACCESS
      • InstanceB has security groups: SOME_OTHER_GROUP
    • RDS
      • RDS instance allows any traffic from DB SG which would allow RDS to communicate with InstanceA but not InstanceB and would not allow any other traffic. If for some reason you added security group WEB or HQ_ACCESS to the RDS instance it would not allow port 80 or 22 traffic to get through but would allow InstanceA itself to communicate with it over the proper DB port.

    Note: Security groups are easy to get confused with, so I hope this helps

    0 讨论(0)
  • 抹茶落季
    2021-01-02 07:39

    You do not need to worry about additional ports being opened up on RDS server.

    The EC2 security groups are just treated like an access control list when used in RDS DB security policies.

    Basically what you are saying is that you want to let any instances which belong to specific EC2 security group have access to the RDS instances using that DB security groups policy.

    The specific rules defined in the EC2 security groups do not matter.

    This behavior basically just gives you a convenient way to easily allow access from a cluster of servers with some common association (their security group).

    0 讨论(0)
 看不清?
提交回复
热议问题