Chapter 10. Isolating Network Access
A fundamental component of application security is the ability to control network access, both inbound to and outbound from your applications. AWS provides EC2 security groups that provide such a capability, which you can apply on a per-network-interface basis to your EC2 instances. This mechanism works well for traditional applications that are deployed to EC2 instances, but historically has not been as effective for container applications, which often operate on shared EC2 instances that communicate via a shared host interface on the EC2 instance. For ECS, the approach until recently has been that you have two applied security groups that accommodate the network security requirements of all the containers you need to support running on a given ECS container instance, which reduces the effectiveness of your security rules, and for applications with high security requirements is not acceptable. The only alternative to this approach up until recently was...