Security via Security Groups Flashcards
What are Security Groups?
How are Security Groups defined in the context of Amazon EC2?
Explain the purpose and characteristics of Security Groups.
Summarize the significance of using Security Groups in AWS.
Answer: Security Groups in Amazon EC2 are virtual firewalls that control inbound and outbound traffic for instances. They act as a set of rules that regulate traffic based on protocols, ports, and source/destination IP addresses. Security Groups are associated with EC2 instances and provide a crucial layer of network security.
Real world Use-Case: Consider a web application hosted on EC2 instances. Security Groups can be configured to allow incoming HTTP traffic on port 80 while restricting access to other ports, ensuring a secure and controlled network environment.
Security Groups serve as a fundamental element in controlling network traffic to and from EC2 instances, allowing users to define rules that govern the communication based on their security requirements.
The use of Security Groups is integral to securing EC2 instances by controlling inbound and outbound traffic. By defining rules within Security Groups, users can enforce a robust network security policy, helping protect instances from unauthorized access on the AWS cloud.
True/False
Is it possible for an EC2 instance to be associated with multiple Security Groups?
Explain the concept of associating EC2 instances with multiple Security Groups.
Summarize the implications and benefits of attaching an instance to multiple Security Groups in AWS.
True
Answer: Yes, in Amazon EC2, an instance can indeed be attached to multiple Security Groups simultaneously. This flexibility allows users to define diverse sets of rules for inbound and outbound traffic by associating an instance with different Security Groups.
Real world Use-Case: Consider a scenario where an EC2 instance serves as both a web server and a database server. By associating it with separate Security Groups for web traffic and database communication, users can implement specific rules for each role, enhancing security and control.
The ability to associate an EC2 instance with multiple Security Groups provides granularity in defining security rules for different aspects of an instance’s functionality, allowing for a more tailored and secure network configuration.
Attaching an instance to multiple Security Groups is a powerful feature that enables users to implement fine-grained security controls for diverse workloads and functionalities within a single EC2 instance on the AWS cloud.
What is an Elastic IP and Private IP?
How are Elastic IP and Private IP defined in the context of Amazon EC2?
Explain the purpose and characteristics of Elastic IP and Private IP.
Summarize the significance of using Elastic IP and Private IP in AWS.
Elastic IP:
- Definition: An Elastic IP (EIP) is a static IPv4 address designed for dynamic cloud computing. It is associated with an AWS account and can be quickly remapped to another EC2 instance.
- Purpose: EIPs are used to provide a consistent public IP address to an EC2 instance, allowing users to retain the same address even if the instance is stopped and restarted.
Private IP:
- Definition: A Private IP is an IP address that is used for communication within the local network of an EC2 instance. It is assigned by AWS and remains associated with the instance throughout its lifecycle.
- Purpose: Private IPs are utilized for internal communication between instances in the same Virtual Private Cloud (VPC). They provide a stable identifier for instances within the network.
Real world Use-Case: Imagine a web server (Elastic IP) communicating with a backend database (Private IP) within a VPC. The Elastic IP ensures consistent public access, while the Private IP facilitates secure and efficient internal communication.
Elastic IP is focused on providing a static public IP for external communication, while Private IP is used for internal communication within the VPC, ensuring secure and stable connections between instances.
Elastic IP and Private IP are crucial components in managing network communication for EC2 instances. Elastic IP ensures consistency for external access, while Private IP facilitates secure internal communication within the AWS environment.
True/False
1. You have limited number of elastic IPs in AWS account for use. How many if so ?
2. Can you request AWS for the increase of elastic IPs
3. Using Elastic IPs is a good practice.
4. We can use private network for doing SSH into our EC2 machines
5. By default your EC2 instance comes with private IP for internal AWS network and public IP for the WWW.
- True, limit is 5
- True
- False, Avoid using elastic IP rather use:
a. Public IP and register a DNS name to it.
b. Use a load balancer. - False, Because we are not in the same network we can not use private IP, we can only use the public IP
Placement Groups & Partion
Pros & Cons
Describe different placement group partitioning strategies.
(Think about On-prem server racks and its designing)
Upto 7 partitions per AZ
-
Cluster; Instances into low latency group in a single AZ. (Big Data jobs that need to complete fast with low latency & high network throughput)
* Pros: Great network
* Con: If a rack fails all instances fail at the same time -
Spread; Instances spread across a single hardware. (Critical applications that need high availability and instances need to isolate from each other’s failure)
* Pros: Reduces risk of simultaneous failure.
* Cons: Limited 7 instances per AZ per PG. -
Partition; spreads instances across many different partitions within an AZ. (Hadoop, kafka )
* Can span up to 100s of EC2 instances across multiple AZs in the same region.
* A partition failure can affect many EC2 but won’t affect other partitions
* EC2 instances get access to the partition info as metadata
PGPS helps to drive control over the EC2 instance placement strategy.
Limited 7 instances per AZ per PG applies to all
ENI (Elastic Network Interface)
What is the role of ENI
Can I make an ENI on the fly ?
Explain the purpose and characteristics of an ENI.
Answer: An Elastic Network Interface (ENI) is a virtual network interface that can be attached to an Amazon EC2 instance in a Virtual Private Cloud (VPC). ENIs allow instances to communicate with the internet and other resources, and they can have multiple private and public IP addresses.
Real world Use-Case: Consider a scenario where a single EC2 instance needs to serve multiple purposes, such as hosting a web server and a database. By attaching additional ENIs, each with its own set of IP addresses, the instance can fulfill distinct roles with separate network configurations.
ENIs provide flexibility in defining the network configuration of EC2 instances. They enable instances to have multiple network interfaces, each serving specific purposes and facilitating diverse network communication scenarios.
Yes, you can attach multiple ENIs to an instance on the fly.
Its bound to a specific Availability Zone.
The use of ENIs is essential for configuring the networking aspects of EC2 instances in a VPC. ENIs enable instances to have multiple network interfaces with distinct IP addresses, enhancing their versatility and facilitating various network communication requirements on the AWS cloud.
