Securing Your AWS 2-Tier Application with Security Groups

Web Server and Database Server Security Group Rules for AWS 2-Tier Application

Q: You have a 2 tier application hosted in AWS.It consists of a web server and database server (SQL Server) hosted on separate EC2 Instances.You are devising the security groups for these EC2 Instances.The Web tier needs to be accessed by users across the Internet.You have created a web security group(wg-123) and a database security group(db-345)Which combination of the following security group rules will allow the application to be secure and functional? Choose 2 answers from the options given below.

wg-123- Allow ports 80 and 443 from 0.0.0.0/0db-345- Allow port 1433 from wg-123

Prev Question Next Question

Question

You have a 2 tier application hosted in AWS.

It consists of a web server and database server (SQL Server) hosted on separate EC2 Instances.

You are devising the security groups for these EC2 Instances.

The Web tier needs to be accessed by users across the Internet.

You have created a web security group(wg-123) and a database security group(db-345)

Which combination of the following security group rules will allow the application to be secure and functional? Choose 2 answers from the options given below.

Answers

A. wg-123- Allow ports 80 and 443 from 0.0.0.0/0

B. db-345- Allow port 1433 from wg-123

C. wg-123- Allow port 1433 from wg-123

D. db-345- Allow ports 1433 from 0.0.0.0/0

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer: A and B.

Option A is CORRECT because the web security group (wg-123) should allow access from ports 80 and 443 for HTTP and HTTPS traffic (web application) for all users across the internet.

Option B is CORRECT because the database security group (db-345) should allow access from the web security group on port 1433 (for SQL).

Option C is incorrect because this is an invalid configuration.

Option D is incorrect because database access should not be allowed over the internet (0.0.0.0/0) for security best practices.

For more information on Security Groups, please visit the below URL:

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html

The correct answers are A and B.

Explanation:

Security groups act as virtual firewalls controlling inbound and outbound traffic to and from Amazon EC2 instances. Each security group can be associated with one or more Amazon EC2 instances, and each instance can be associated with multiple security groups. Security groups allow you to specify which traffic is allowed to reach your instances.

In this scenario, we have a two-tier application with a web server and a database server. The web server needs to be accessed by users across the internet, and the database server should only be accessible from the web server. We have created two security groups: wg-123 for the web server and db-345 for the database server.

Option A: wg-123- Allow ports 80 and 443 from 0.0.0.0/0 This option allows incoming traffic on ports 80 (HTTP) and 443 (HTTPS) from any IP address. This is required for the web server to be accessible from the internet.

Option B: db-345- Allow port 1433 from wg-123 This option allows incoming traffic on port 1433 (SQL Server) from the security group wg-123. This is required to allow the web server to access the database server.

Option C: wg-123- Allow port 1433 from wg-123 This option allows incoming traffic on port 1433 (SQL Server) from the same security group wg-123. This is not required in this scenario since the database server should only be accessible from the web server.

Option D: db-345- Allow ports 1433 from 0.0.0.0/0 This option allows incoming traffic on port 1433 (SQL Server) from any IP address. This is not recommended since it opens up the database server to the entire internet, which is a security risk.

Therefore, options A and B are the correct answers.

Prev Question Next Question