Secure Web Server Setup on AWS VPC
Question
An organization is planning to set up a management network on the AWS VPC.
The organization is trying to secure the web server on a single EC2 instance such that it allows the internet traffic and back-end management traffic.
The organization wants to ensure that the back-end management network interface can only receive SSH traffic from a selected IP range.
At the same time, the Internet-facing web server will have an IP address that can receive traffic from all the internet IPs.
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Answer - B.
An Elastic Network Interface (ENI) is a virtual network interface that you can attach to an instance in a VPC.
Network interfaces are available only for instances running in a VPC.A network interface can include the following attributes.
A primary private IPv4 address.
One or more secondary private IPv4 addresses.
One Elastic IP address (IPv4) per private IPv4 address.
One public IPv4 address.
One or more IPv6 addresses.
One or more security groups.
A MAC address.
A source/destination check flag.
A description.
See an example below how the route table can be configured to allow the IP based access via multiple ENIs.
For more information on ENI, please refer to the below link.
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html
The organization wants to set up a management network on AWS VPC, and secure a web server on a single EC2 instance to allow internet traffic and back-end management traffic. The organization also wants to ensure that the back-end management network interface can only receive SSH traffic from a selected IP range while the Internet-facing web server can receive traffic from all internet IPs.
Option A: "It is not possible to have 2 IP addresses for a single instance." This statement is incorrect. It is possible to have multiple IP addresses for a single instance, using multiple network interfaces. Each network interface can have its own private IP address and public IP address.
Option B: "The organization should create 2 network interfaces, one for the internet traffic and the other for the backend traffic." This is the correct answer. To achieve the desired outcome, the organization should create two network interfaces for the EC2 instance, one for internet traffic and one for backend management traffic. The internet-facing network interface should have a public IP address and be associated with a security group that allows inbound traffic from all internet IPs. The backend management network interface should have a private IP address and be associated with a security group that allows inbound SSH traffic only from the selected IP range for back-end management.
Option C: "The organization should create 2 EC2 instances as this is not possible with one EC2 instance." This statement is incorrect. It is possible to create multiple network interfaces on a single EC2 instance, as mentioned in Option B. There is no need to create two separate EC2 instances.
Option D: "This is not possible." This statement is also incorrect. The desired outcome can be achieved by creating multiple network interfaces on a single EC2 instance, as mentioned in Option B.
In conclusion, the correct answer is Option B: The organization should create 2 network interfaces, one for the internet traffic and the other for the backend traffic.