Secure Communication Between Web and Database Servers
Question
Your current architecture consists of a set of web servers spun up as part of an Autoscaling group.
These web servers then communicate with a set of database servers.
You need to ensure that the database servers' security groups are set properly to accept traffic from the web servers.
Which of the following is the best way to accomplish this?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Answer - C.
The below example from the AWS Documentation also shows the Source of the database security group involving the web server security groups' ID.Options A and B are invalid or not the best practice.
Since they are part of the Autoscaling Group, the IP addresses of the instances can change.
Option D is incorrect since normally you don't specify the Instance ID in Security Groups.
For more information on the Security Groups for the VPC, please refer to the below URL-
https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario2.html
In this scenario, you have a set of web servers that are part of an Auto Scaling group and communicate with a set of database servers. The task is to ensure that the database servers' security groups are set properly to accept traffic from the web servers.
To achieve this, we need to understand the concept of security groups in AWS. A security group acts as a virtual firewall that controls inbound and outbound traffic for one or more instances. In AWS, security groups are stateful, which means that any traffic that is allowed to flow in is automatically allowed to flow out.
Now let's analyze the given options:
A. Ensure that the Private IP addresses of the web servers are put as sources for the incoming rules in the database server security group.
This option is not a good approach because the IP addresses of the instances within an Auto Scaling group may change dynamically, making it difficult to maintain the security group rules.
B. Ensure that the Public IP addresses of the web servers are put as sources for the incoming rules in the database server security group.
This option is also not a good approach because the public IP addresses of the web servers can change each time the instances are launched, and using public IP addresses is less secure.
C. Ensure that the web server security group is placed as the source for the incoming rules in the database server security group.
This option is the correct approach. By placing the web server security group as the source for the incoming rules in the database server security group, you allow any instance that is part of the web server security group to communicate with the database server. This is a better approach because it is based on the group membership and is independent of the IP addresses of the instances.
D. Ensure that the Instance ID of the web servers are put as sources for the incoming rules in the database server security group.
This option is not a good approach because the instance IDs can also change when the Auto Scaling group scales up or down.
In conclusion, the best way to accomplish this task is to ensure that the web server security group is placed as the source for the incoming rules in the database server security group.