10

This is the case:

  1. Instance X is able to connect to instance Y on TCP port 27017 (allowed by EC2 security group)
  2. X has mongo shell
  3. Y has MongoDB running, accepting connection from X on port 27017
  4. From X, use mongo shell to connect to DB instance on Y
  5. From this mongo shell session on X, query from Y and insert to Y. All is successful.
  6. Change security group of Y: remove the rule of port 27017 mentioned in #1
  7. X can still query from/insert to DB hosted on Y. This is not expected.
  8. Exit mongo shell session on X
  9. Try step 4 again and failed. This is normal and expected.

Expectation is that EC2 network firewall will terminate connections that violate the rules (the security group policies).

Could you please explain how #7 above happens? And how can that be avoided (so X cannot do anything to Y at that time)?

Thank you.

4

1 回答 1

9

期望 EC2 网络防火墙将终止违反规则的连接

你在这里做一个假设。这可能是您对它应该如何工作的期望,但是官方 AWS 文档中的哪个地方支持呢?我建议阅读文档,而不是对这将如何工作做出假设。

文档中

当您删除启用该流的安全组规则时,跟踪的现有流量可能不会中断。相反,当您或其他主机将流停止至少几分钟(或已建立的 TCP 连接最多 5 天)时,流会被中断。对于 UDP,这可能需要在流的远程端终止操作。如果删除或修改启用流量的规则,则未跟踪的流量会立即中断。例如,如果您删除允许所有入站 SSH 流量 (0.0.0.0/0) 到该实例的规则,那么您与该实例的现有 SSH 连接将立即断开。

如果您想确保在删除安全组规则时立即中断流量,您可以为您的子网使用网络 ACL — 网络 ACL 是无状态的,因此不会自动允许响应流量。有关更多信息,请参阅 Amazon VPC 用户指南中的网络 ACL。

于 2016-03-18T14:16:12.930 回答