An organization is planning to setup a management network on the AWS VPC. The organization
is trying to secure the webserver on a single VPC instance such that it allows the internet traffic
as well as the back-end management traffic. The organization wants to make so that the back
end management network interface can receive the SSH traffic only from a selected IP range,
while the internet facing webserver will have an IP address which can receive traffic from all the
internet IPs. How can the organization achieve this by running web server on a single instance?
A.
It is not possible to have two IP addresses for a single instance.
B.
The organization should create two network interfaces with the same subnet and security group
to assign separate IPs to each network interface.
C.
The organization should create two network interfaces with separate subnets so one instance can
have two subnets and the respective security groups for controlled access.
D.
The organization should launch an instance with two separate subnets using the same network
interface which allows to have a separate CIDR as well as security groups.
Explanation:
A Virtual Private Cloud (VPC) is a virtual network dedicated to the user’s AWS account. It enables
the user to launch AWS resources into a virtual network that the user has defined. An Elastic
Network Interface (ENI) is a virtual network interface that the user can attach to an instance in a
VPC. The user can create a management network using two separate network interfaces. For the
present scenario it is required that the secondary network interface on the instance handles the
public facing traffic and the primary network interface handles the back-end management traffic
and it is connected to a separate subnet in the VPC that has more restrictive access controls. The
public facing interface, which may or may not be behind a load balancer, has an associated
security group to allow access to the server from the internet while the private facing interface has
an associated security group allowing SSH access only from an allowed range of IP addresses
either within the VPC or from the internet, a private subnet within the VPC or a virtual private
gateway.
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html