Securing Web Server on AWS VPC with Management Network

Securing Web Server on a Single EC2 Instance of AWS VPC

Prev Question Next Question

Question

An organization is planning to set up a management network on the AWS VPC.

The organization is trying to secure the web server on a single EC2 instance of VPC such that it allows internet traffic and back-end management traffic.

The organization wants to make it so that the back-end management network interface can only receive SSH traffic from a selected IP range.

At the same time, the internet-facing web server will have an IP address that can receive traffic from all the internet IPs. How can the organization achieve this by running a web server on a single instance?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - B.

You can attach 2 ENI's to the Instance.

One ENI can be used to accept Internet traffic and the other can be used to interact with your instances in the private subnet.

Options A and D are invalid because a solution is possible.

Option C is incorrect because you should have 2 Elastic Network Interfaces and not 2 EC2 Instances.

For more information on Elastic Network Interfaces, please visit the below URL:

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html

The organization can achieve the desired setup by creating two network interfaces on the single EC2 instance.

One network interface can be configured for the public-facing web server traffic that can receive traffic from all the internet IPs. The other network interface can be configured for the back-end management traffic, and it can be restricted to SSH traffic from a selected IP range.

To set up the two network interfaces, the organization can follow these steps:

  1. Create a VPC: The organization needs to create a VPC and configure it with public and private subnets.

  2. Launch an EC2 instance: The organization should launch an EC2 instance in the private subnet of the VPC.

  3. Create two network interfaces: After launching the EC2 instance, the organization should create two network interfaces and associate them with the EC2 instance.

  4. Configure the first network interface: The first network interface should be configured for the public-facing web server traffic. It should be assigned an Elastic IP address that can receive traffic from all the internet IPs. The security group for this network interface should allow HTTP and HTTPS traffic.

  5. Configure the second network interface: The second network interface should be configured for the back-end management traffic. It should be assigned a private IP address that is only accessible from the selected IP range. The security group for this network interface should allow SSH traffic only from the selected IP range.

  6. Configure the EC2 instance: The EC2 instance should be configured to use both network interfaces. It should also be configured to use the private IP address of the second network interface as the default gateway for all back-end traffic.

By following these steps, the organization can create a secure management network on the AWS VPC and allow internet traffic and back-end management traffic to the single EC2 instance.