I was doing the question in the image below and the right answer blew my mind:
I my opinion putting the ALB IP address would work, but the right question answer suggests that I should put ALB to a security group and say to the target instance that ALB'S security group is the source.
Why? Is it related to the fact that the target instance is inside a VPC?
I answer the question thinking that just put the ALB IP as source would be the correct answer.
CodePudding user response:
Whitelisting the VPC CIDR would effectively mean whitelisting the entire IP range defined by the CIDR, which could possibly include resources other than the load balancer.
Since the question is asking how to ensure that only traffic coming from the load balancer is allowed, then the right answer is indeed allowing the security group associated with the load balancer.
CodePudding user response:
First, 192.168.0.0/10
is not the ALB IP Address, but rather the CIDR block of the entire VPC.
Second, even if the actual ALB IP address were among the answers, it wouldn't be the best answer. The docs explain why:
The IP addresses for Classic Load Balancers and Application Load Balancers change over time. Avoid using this information to statically configure your applications to point to these IP addresses.