O'Reilly logo

Cloud Application Architectures by George Reese

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Network Security

Amazon’s cloud has no perimeter. Instead, EC2 provides security groups that define firewall-like traffic rules governing what traffic can reach virtual servers in that group. Although I often speak of security groups as if they were virtual network segments protected by a firewall, they most definitely are not virtual network segments, due to the following:

  • Two servers in two different Amazon EC2 availability zones can operate in the same security group.

  • A server may belong to more than one security group.

  • Servers in the same security group may not be able to talk to each other at all.

  • Servers in the same network segment may not share any IP characteristics—they may even be in different class address spaces.

  • No server in EC2 can see the network traffic bound for other servers (this is not necessarily true for other cloud systems). If you try placing your virtual Linux server in promiscuous mode, the only network traffic you will see is traffic originating from or destined for your server.

Firewall Rules

Typically, a firewall protects the perimeter of one or more network segments. Figure 5-2 illustrates how a firewall protects the perimeter.

Firewalls are the primary tool in perimeter security

Figure 5-2. Firewalls are the primary tool in perimeter security

A main firewall protects the outermost perimeter, allowing in only HTTP, HTTPS, and (sometimes) FTP[13] traffic. Within that network segment are border systems, such as load ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required