Security Groups for ECS Clusters and Load Balancers (AWS Cert Exam Question)

Question

A retail website is deployed on a ECS cluster - in a private subnet - behind ELB Application Load Balancer(ALB). What is the best method to ensure that the requests to ECS cluster are coming from ALB only?

A. Configure the inbound rule of ECS security group to accept requests only from ALB security Group.
B. Configure the inbound rule of ECS security group to deny requests from resources other than ALB.
C. Configure the inbound rule of ECS security group to accept requests only from the IP address of the ALB.
D. Create network ACL rules for the private subnet to accept requests only from the IP address of the ALB.

My question is: What's the different between A and C? Why A is right from the Answer? Thanks!

This would be better place to ask about aws certs: https://old.reddit.com/r/AWSCertifications/ — Marcin, Feb 06 '21 at 00:18
ALB does not have static IP address. C will not work. It must be SG of ALB. — Marcin, Feb 06 '21 at 00:19

score 2 · Answer 1 · answered Feb 06 '21 at 03:20

The configuration would be:

A Security Group on the Load Balancer (LB-SG) that allows inbound traffic (eg on port 80/443)
A Security Group on the ECS cluster (ECS-SG) that permits inbound access from LB-SG

By referring to LB-SG, any resource supporting the Load Balancer will be permitted to send traffic to the ECS cluster. There is no need to update configurations when the Load Balancer adds/removes additional AZs or expands to handle additional traffic.

Thus, A would be the most correct answer.

Security Groups for ECS Clusters and Load Balancers (AWS Cert Exam Question)

1 Answers1