- Le plus récent
- Le plus de votes
- La plupart des commentaires
There's not two types of Security Group - only one. Think of a Security Group as a firewall on a network interface (ENI, or Elastic Network Interface). Anything that has an ENI in your VPC can have a Security Group; that includes EC2 instances and VPC Interface Endpoints. It does NOT include VPC Gateway Endpoints which are kind of a "routing hack" where you enter routes into your route table to access a gateway rather than traffic being directed to an ENI via DNS.
You asked about "Load Balancer Gateway" - do you mean "Gateway Load Balancer"? This is also powered by PrivateLink so client endpoints have ENIs and Security Groups.
Hi, when the above comments are talking about security groups, they're talking about security groups used by the compute resources (i.e. EC2, vpc lambda etc.) rather than security groups attached to the endpoints.
However, to clarify, endpoints are accessed via Elastic Network Interfaces (ENIs) - when you create an endpoint, it will create network interfaces to allow you to connect to the endpoint. Unless overridden, these interfaces use the default security group in the VPC. This is normally configured to allow all incoming network traffic. However, you can override this if required by creating a new security group and attaching it to the ENI, so you could for example, only allow access to the ENI from compute resources with a specific IP or IP range.
What about "Load Balancer Gateway" powerd by PrivateLink. Does it leverage "Security Group" ?
You're absolutely correct, but this is only with the type "VPC Endpoint interface" that powered by "PrivateLink". Still not getting clear answer to my question.
I quite get it now, but it is not clear yet for me. Basically, we have two types of "Security Groups" in AWS:
- VPC Security Group, e.g. "Default VPC Security Group".
- Instance Security Group, e.g. "launch-wizard"
Contenus pertinents
- demandé il y a un an
- demandé il y a 3 mois
- demandé il y a un an
- demandé il y a 4 mois
- AWS OFFICIELA mis à jour il y a 7 mois
- AWS OFFICIELA mis à jour il y a 2 ans
- AWS OFFICIELA mis à jour il y a 6 mois
- AWS OFFICIELA mis à jour il y a 2 ans
Thanks for the clarification. Now, it is clear. The problem was my understanding of "Security Group" operates on instance level, while NACLs on subnet level. According to your explanation, anything that has an ENI in VPC can have "Security Group", which it definetely makes sense.