英文:
Why not using the direct IP but Security Group instead?
问题
我正在回答下面图片中的问题,正确答案让我大开眼界:
在我看来,将ALB IP地址作为源地址应该可以工作,但正确的问题答案建议我将ALB添加到一个安全组,并告诉目标实例使用ALB的安全组作为源地址。
为什么呢?
这与目标实例位于VPC内有关吗?
我回答这个问题时认为只需将ALB IP地址作为源地址就是正确答案。
英文:
I was doing the question in the image below and the right answer blew my mind:
I my opinion putting the ALB IP address would work, but the right question answer suggests that I should put ALB to a security group and say to the target instance that ALB'S security group is the source.
Why?
Is it related to the fact that the target instance is inside a VPC?
I answer the question thinking that just put the ALB IP as source would be the correct answer.
答案1
得分: 3
首先,192.168.0.0/10 不是 ALB 的 IP 地址,而是整个 VPC 的 CIDR 块。
其次,即使实际的 ALB IP 地址确实包含在答案中,它也不会是最佳答案。文档解释 了为什么:
经典负载均衡器和应用程序负载均衡器的 IP 地址会随时间变化。避免使用此信息来静态配置您的应用程序指向这些 IP 地址。
英文:
First, 192.168.0.0/10 is not the ALB IP Address, but rather the CIDR block of the entire VPC.
Second, even if the actual ALB IP address were among the answers, it wouldn't be the best answer. The docs explain why:
> The IP addresses for Classic Load Balancers and Application Load Balancers change over time. Avoid using this information to statically configure your applications to point to these IP addresses.
答案2
得分: 2
白名单VPC CIDR实际上意味着白名单CIDR定义的整个IP范围,这可能包括负载均衡器之外的资源。
由于问题要求确保只允许来自负载均衡器的流量,因此正确答案确实是允许与负载均衡器关联的安全组。
英文:
Whitelisting the VPC CIDR would effectively mean whitelisting the entire IP range defined by the CIDR, which could possibly include resources other than the load balancer.
Since the question is asking how to ensure that only traffic coming from the load balancer is allowed, then the right answer is indeed allowing the security group associated with the load balancer.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论