Wanted to know the difference between security groups and internal prefix-list and to know which would be best for not allowing the external traffic to enter the cloud?
CodePudding user response:
A Security Group is a firewall on an individual resource in an Amazon VPC.
For example, you could add a Security Group to an Amazon EC2 instance that only permits access on port 80 and 443 (HTTP and HTTPS). Any requests going to other ports would be blocked before reaching the instance. You could then add another rule that permits access to port 22 (SSH) but only from your IP address. You could connect, but requests from any other IP address would be blocked.
Rules can be configured for Inbound connections (going into the instance) and also for Outbound connections (requests leaving the instance). Requests are stateful, meaning that a request in one direction will always be permitted a response in the other direction. For example, if there is an Inbound rule permitting port 80, then the instance will be able to respond to an HTTP request without needing an Outbound rule that specifically permits the response.
Security Groups can also refer to each other. For example:
- An Amazon EC2 instance running an application would have a Security Group permitting inbound HTTP and HTTPS connections, and all Outbound connections
- An Amazon RDS database in the same VPC would have a Security Group permitting inbound database connections from the Security Group on the Amazon EC2 instance
That is, the database security group specifically refers to the instance security group. Any instance associated with the EC2 security group would be allowed to access the database.
When defining rules in a Security Group, you specify a CIDR that defines the IP address(es) that are permitted by the rule. For example, 0.0.0.0/0
means the entire Internet, while 1.2.3.0/24
means all IP addresses starting with 1.2.3.x
.
Prefix Lists are simply a pre-defined list of CIDRs. They make it easier to define rules by permitting access from a specific Prefix List rather than having to define multiple rules with one CIDR per rule. So, prefix lists can be used by security group.