-2

I was doing the question in the image below and the right answer blew my mind: enter image description here

I my opinion putting the ALB IP address would work, but the right question answer suggests that I should put ALB to a security group and say to the target instance that ALB'S security group is the source.

Why? Is it related to the fact that the target instance is inside a VPC?

I answer the question thinking that just put the ALB IP as source would be the correct answer.

Improve this question
1
  • Did my answer work for you? Commented Jan 10, 2023 at 22:30

2 Answers 2

Reset to default
3

First, 192.168.0.0/10 is not the ALB IP Address, but rather the CIDR block of the entire VPC.

Second, even if the actual ALB IP address were among the answers, it wouldn't be the best answer. The docs explain why:

The IP addresses for Classic Load Balancers and Application Load Balancers change over time. Avoid using this information to statically configure your applications to point to these IP addresses.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

Whitelisting the VPC CIDR would effectively mean whitelisting the entire IP range defined by the CIDR, which could possibly include resources other than the load balancer.

Since the question is asking how to ensure that only traffic coming from the load balancer is allowed, then the right answer is indeed allowing the security group associated with the load balancer.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.