Shulou(Shulou.com)06/02 Report--

What are the secure setting methods for private network instance interconnection in linux? This problem may be often seen in our daily study or work. I hope you can gain a lot from this question. The following is the reference content that the editor brings to you, let's take a look at it!

Classical setting method for interworking of private network instances

Security group is an instance-level firewall. In order to ensure instance security, you should follow the principle of "minimum authorization" when setting security group rules. Here are four secure setting methods for private network instance interconnection.

Method 1. Authorization using a single IP address

Applicable scenarios: suitable for private network interconnection between small-scale instances.

Advantages: authorized by IP address, the security group rules are clear and easy to understand.

Disadvantages: when there are a large number of private network interconnection instances, it will be limited by the number of security group rules of 100. In addition, the maintenance workload is relatively heavy in the later period.

Setting method:

Select the instances that need to be interconnected, and enter the security group of this instance.

Select the security group you want to configure, and click configure rules.

Click the intranet entry direction, and click add Security Group rules.

Add a security group rule as described below:

Authorization policy: allow

Protocol type: select the protocol type according to the actual need

Port range: set the port range according to your actual needs, in the format of "start port number / termination port number"

Authorization type: address segment access

Authorization object: enter the private network IP address of the instance you want to interconnect with each other. The format must be a.b.c.d/32. Where the subnet mask must be / 32.

Method 2. Join the same security group

Applicable scenario: if your application architecture is relatively simple, you can select the same security group for all instances. There is no need to set special rules between instances bound to the same security group, and network interconnection is default.

Advantages: the security group rules are clear.

Disadvantages: it is only suitable for simple application network architecture, and the authorization method should be modified when the network architecture is adjusted.

Method 3. Bind an interworking security group

Applicable scenarios: add a security group specifically for interworking for instances that need interworking, which is suitable for multi-tier application network architecture scenarios.

Advantages: easy to operate, can quickly establish interworking between instances, and can be applied to complex network architecture.

Disadvantages: the instance needs to be bound to multiple security groups, and the readability of security group rules is poor.

Setting method:

Create a new security group, named "interworking security group". You do not need to add any rules to the new security group.

Add the newly created "interconnection security group" to all the instances that need to be interconnected, and make use of the default interworking feature between the instances of the same security group to achieve the effect of interworking between private network instances.

Method 4. Mutual trust authorization of security groups

Applicable scenario: if your network architecture is complex and the applications deployed on each instance have different business roles, you can choose to use security groups to authorize each other.

Advantages: clear structure of security group rules, strong readability and interoperability across accounts.

Disadvantages: the workload of configuring security group rules is heavy.

Setting method:

Select the instance for which mutual trust needs to be established and enter the security group of this instance.

Select the security group you want to configure, and click configure rules.

Click the intranet entry direction, and click add Security Group rules.

Add a security group rule as described below:

Authorization policy: allow

Protocol type: select the protocol type according to your actual needs

Port range: set according to actual demand

Authorization type: security group access.

Authorized object:

If you choose the authorization of this account: according to your networking requirements, enter the security group ID of the peer instance with the need for private network interconnection into the authorization object.

If you choose cross-account authorization: the authorized object should enter the security group of the peer instance. ID; account ID is the peer account ID (which can be found in "account Management"-> "Security Settings").

Suggestion

If the authorization of the previous security group is too large, it is recommended to use the following process to tighten the scope of authorization.

Deleting 0.0.0.0 in the figure refers to the deletion of the original security group rule that allows the 0.0.0.0max 0 address field.

If the security group rules are changed improperly, the communication between your instances may be affected. Back up the security group rules you want to operate before modifying the settings, so that you can restore them in time in case of interconnection problems.

The security group maps the role of the instance in the entire application architecture. It is recommended to plan the firewall rules according to the application architecture. For example, a common three-tier Web application architecture can plan three security groups to bind the instances deployed with the corresponding application or database to the corresponding security groups:

Web layer security group: open port 80

APP layer security group: open port 8080

DB layer security group: open port 3306.

Thank you for reading! After reading the above, do you have a general understanding of the setting method of secure private network instance interconnection in linux? I hope the content of the article will be helpful to all of you. If you want to know more about the relevant articles, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.