我在AWS研究中遇到以下场景问题:
您有一个在VPC中运行的企业对企业Web应用程序,该应用程序由应用程序负载平衡器(ALB),应用程序服务器和数据库组成。您的Web应用程序应仅接受来自预定义客户IP地址的流量。哪两个选项满足此安全要求?选择2个答案
选项:
A. Configure web server VPC security groups to allow traffic from your customers’ IPs
B. Configure your web servers to filter traffic based on the ALB’s "X-forwarded-for" header
C. Configure your web servers to filter traffic based on the ALB’s "Proxy Protocol" header
D. Configure ELB security groups to allow traffic from your customers’ IPs and deny all outbound traffic
E. Configure a VPC NACL to allow web traffic from your customers’ IPs and deny all outbound traffic
正确答案
B. Configure your web servers to filter traffic based on the ALB’s "X-forwarded-for" header
D. Configure ELB security groups to allow traffic from your customers’ IPs and deny all outbound traffic
我的问题是,为什么E在这里不被接受?
非常感谢,感谢您的启发。
这与本质上是有状态的并且不需要外围端口的显式允许的安全组不同。
为进一步阅读,如果我在这里不能解释,请在下面的文档中搜索无状态以获得更好的理解:
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html