Suggested Answer:C🗳️
Elastic Load Balancing provides a special Amazon EC2 source security group that the user can use to ensure that back-end EC2 instances receive traffic only from Elastic Load Balancing. This feature needs two security groups: the source security group and a security group that defines the ingress rules for the back-end instances. To ensure that traffic only flows between the load balancer and the back-end instances, the user can add or modify a rule to the back-end security group which can limit the ingress traffic. Thus, it can come only from the source security group provided by Elastic Load Balancing.
ELB will create a SG for itself if we opt to, and we can refer another SG(ec2 sg in this case) as source :/ It's D. If the question is about the best practice, then 2 SG's are needed for this setup!
When an Elastic Load Balancer (ELB) is created, it will create and manage its own security group by default. This security group is automatically configured to allow incoming traffic from the configured listeners (ports) of the ELB and restrict outgoing traffic to the instances associated with the ELB. The instances associated with the ELB will continue to use their own security groups, and the ELB's security group will be separate from the instance security groups.
So, when you create an ELB with three instances, it will create only one security group for itself by default. This single security group will handle the traffic to and from the instances through the ELB.
https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-groups.html
Elastic Load Balancing creates only one such security group per AWS account, with a name of the form default_elb_id (for example, default_elb_fc5fbed3-0405-3b7d-a328-ea290EXAMPLE). Subsequent load balancers that you create in the default VPC also use this security group.
D seems correct
C
Source SG to ensure EC2 receives traffic only from ELB, and
second SG that defining the ingress rules for the EC2 instances, which needs the first Source SC
There is a significant difference between the way Classic Load Balancers support security groups in EC2-Classic and in a VPC. In EC2-Classic, the load balancer provides a special source security group that you can use to ensure that instances receive traffic only from your load balancer. You can't modify this source security group. In a VPC, you provide the security group for your load balancer, which enables you to choose the ports and protocols to allow. For example, you can open Internet Control Message Protocol (ICMP) connections for the load balancer to respond to ping requests (however, ping requests are not forwarded to any instances).
I don't see how an ELB can have two Security groups created by default; the security group defining the ingress-rules for the back-end instances will have to be created by the user.
The answer should be D - 1 Security Group created by default.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
badrobot
Highly Voted 2 years, 7 months agoalbert_kuo
Most Recent 9 months agojjcode
1 year, 11 months agoRicardoD
2 years, 6 months agoCakemanator
2 years, 6 months agoonlinebaba
2 years, 6 months ago2aldous
2 years, 6 months agoDevendra87
2 years, 6 months agogretch
2 years, 6 months agogretch
2 years, 6 months agonarayanan010
2 years, 6 months agodennismp
2 years, 7 months agoawscertified
2 years, 7 months ago