You are designing a data leak prevention solution for your VPC environment. You want your VPC Instances to
be able to access software depots and distributions on the Internet for product updates. The depots and
distributions are accessible via third party CONs by their URLs. You want to explicitly deny any other outbound
connections from your VPC instances to hosts on the internet.
Which of the following options would you consider?
A.
Configure a web proxy server in your VPC and enforce URL-based rules for outbound access Remove
default routes.
B.
Implement security groups and configure outbound rules to only permit traffic to software depots.
C.
Move all your instances into private VPC subnets remove default routes from all routing tables and add
specific routes to the software depots and distributions only.
D.
Implement network access control lists to all specific destinations, with an Implicit deny as a rule.
http://jayendrapatil.com/category/aws/vpc/acl/
Soooooo …. are you agreeing or disagreeing? Just posting a link is pretty pointless.
I don’t know why you are every time .. every time just post the url without any clarifications
I would definately do A in the real world to prevent creating custom NACLs. Explicit IP based NACLs are a nightmare. Avoid D at all cost!
A – proxy server can enforce URL-based rules for outbound access
B, C and D – You cannot specify URL there
perfect @tomasz