使用AWS re:Post即您表示您同意 AWS re:Post 使用条款
AWS re:Postre:Post

VPC Gateway Endpoint & Security Group

0

Briefly, does VPC Gateway Endpoint or VPC Load Balancer Gateway that powered by PrivateLink leverage "Security Group" ? According to the following references from AWS, it sems that VPC Gateway Endpoint does leverage "Security Group":

  1. In AWS Doc titled as [https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html]("Gateway endpoints for Amazon S3") by one of the conisderations points the following is written:

The outbound rules for the security group for instances that access Amazon S3 through the gateway endpoint must allow traffic to Amazon S3. You can use the prefix list ID for Amazon S3 as the destination in the outbound rule.

  1. re:Post Question [https://repost.aws/de/knowledge-center/connect-s3-vpc-endpoint]("Why can't I connect to an S3 bucket using a gateway VPC endpoint? " )

On the contrary, in one of the online courses that I attend, the instructor claimed that VPC Gateway Endpoint does not leverage "Security Group" at all !?!

Could you please clarify this misunderstanding ?

主题
网络和内容交付
标签
亚马逊 VPCAWS 专用链接安全组
语言
English
rePost-User-0862805
已提问 1 年前1265 查看次数
3 回答
2

There's not two types of Security Group - only one. Think of a Security Group as a firewall on a network interface (ENI, or Elastic Network Interface). Anything that has an ENI in your VPC can have a Security Group; that includes EC2 instances and VPC Interface Endpoints. It does NOT include VPC Gateway Endpoints which are kind of a "routing hack" where you enter routes into your route table to access a gateway rather than traffic being directed to an ENI via DNS.

You asked about "Load Balancer Gateway" - do you mean "Gateway Load Balancer"? This is also powered by PrivateLink so client endpoints have ENIs and Security Groups.

专家
skinsman
已回答 1 年前
  • rePost-User-6624931
    1 年前

    Thanks for the clarification. Now, it is clear. The problem was my understanding of "Security Group" operates on instance level, while NACLs on subnet level. According to your explanation, anything that has an ENI in VPC can have "Security Group", which it definetely makes sense.

1

Hi, when the above comments are talking about security groups, they're talking about security groups used by the compute resources (i.e. EC2, vpc lambda etc.) rather than security groups attached to the endpoints.

However, to clarify, endpoints are accessed via Elastic Network Interfaces (ENIs) - when you create an endpoint, it will create network interfaces to allow you to connect to the endpoint. Unless overridden, these interfaces use the default security group in the VPC. This is normally configured to allow all incoming network traffic. However, you can override this if required by creating a new security group and attaching it to the ENI, so you could for example, only allow access to the ENI from compute resources with a specific IP or IP range.

profile picture
Simon Hanmer
已回答 1 年前
  • rePost-User-0862805
    1 年前

    What about "Load Balancer Gateway" powerd by PrivateLink. Does it leverage "Security Group" ?

  • rePost-User-0862805
    1 年前

    You're absolutely correct, but this is only with the type "VPC Endpoint interface" that powered by "PrivateLink". Still not getting clear answer to my question.

0

I quite get it now, but it is not clear yet for me. Basically, we have two types of "Security Groups" in AWS:

  1. VPC Security Group, e.g. "Default VPC Security Group".
  2. Instance Security Group, e.g. "launch-wizard"
rePost-User-0862805
已回答 1 年前

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则

相关内容