Why not using the direct IP but Security Group instead?

LucasVital
January 8, 2023
256 views
0 votes
2 Answers

I was doing the question in the image below and the right answer blew my mind:

I my opinion putting the ALB IP address would work, but the right question answer suggests that I should put ALB to a security group and say to the target instance that ALB’S security group is the source.

Why?
Is it related to the fact that the target instance is inside a VPC?

I answer the question thinking that just put the ALB IP as source would be the correct answer.

Answers

- Paolo
- January 8, 2023 at 8:06 pm
- 0 votes
0
Whitelisting the VPC CIDR would effectively mean whitelisting the entire IP range defined by the CIDR, which could possibly include resources other than the load balancer.

Since the question is asking how to ensure that only traffic coming from the load balancer is allowed, then the right answer is indeed allowing the security group associated with the load balancer.

Login or Signup to reply.

- fedonev
- January 8, 2023 at 8:10 pm
- 0 votes
0
First, 192.168.0.0/10 is not the ALB IP Address, but rather the CIDR block of the entire VPC.

Second, even if the actual ALB IP address were among the answers, it wouldn’t be the best answer. The docs explain why:

The IP addresses for Classic Load Balancers and Application Load Balancers change over time. Avoid using this information to statically configure your applications to point to these IP addresses.

Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.