https://212clab.pages.dev/en/qna/Recent content in QnA on blog.212clabHugoenSat, 02 May 2026 00:00:00 +0000https://212clab.pages.dev/en/qna/2026-05-02-ecs-private-db-sg/Sat, 02 May 2026 00:00:00 +0000https://212clab.pages.dev/en/qna/2026-05-02-ecs-private-db-sg/<h2 id="one-liner">One-liner</h2> <p>Add the ECS task&rsquo;s Security Group as an <strong>inbound source</strong> in the RDS Security Group. Reference the SG itself — not an IP address.</p> <hr> <h2 id="why-you-cant-use-ips">Why You Can&rsquo;t Use IPs</h2> <p>ECS Fargate assigns a <strong>new IP every time a task starts</strong>:</p> <pre tabindex="0"><code>Task A: 10.0.1.23 → terminates Task B: 10.0.2.87 → new task (different IP) Task C: 10.0.1.45 → scale-out (yet another IP) </code></pre><p>Because tasks scale in and out with auto-scaling, registering IPs in a Security Group is impractical.</p>https://212clab.pages.dev/en/qna/2026-05-02-iptables-vs-sg/Sat, 02 May 2026 00:00:00 +0000https://212clab.pages.dev/en/qna/2026-05-02-iptables-vs-sg/<h2 id="one-liner">One-liner</h2> <p>iptables is an <strong>OS kernel-level</strong> firewall; Security Group is an <strong>AWS VPC-level</strong> virtual firewall. iptables runs inside the host; SG runs outside the host (at the hypervisor).</p> <hr> <h2 id="where-each-operates">Where Each Operates</h2> <pre tabindex="0"><code>[Internet] ↓ [AWS VPC] ↓ [Security Group] ← Hypervisor (ENI) level — filters traffic before it reaches EC2 ↓ [EC2 instance] ↓ [iptables] ← OS kernel (netfilter) level — filters traffic inside EC2 ↓ [Application] </code></pre><p>SG filters traffic <strong>before</strong> it ever reaches the EC2 instance. iptables filters inside EC2 at the kernel level.</p>https://212clab.pages.dev/en/qna/2026-03-22-nlb-vs-alb/Sun, 22 Mar 2026 00:00:00 +0000https://212clab.pages.dev/en/qna/2026-03-22-nlb-vs-alb/<h2 id="one-liner">One-liner</h2> <p>NLB is an <strong>L4 (TCP/UDP)</strong> load balancer; ALB is an <strong>L7 (HTTP/HTTPS)</strong> load balancer. NLB forwards packets as-is, while ALB parses HTTP requests before routing them.</p> <hr> <h2 id="how-each-layer-works">How Each Layer Works</h2> <pre tabindex="0"><code>NLB (L4): Client → [NLB: forward TCP packet] → Server - Does not inspect packet contents - Routes by IP + Port only ALB (L7): Client → [ALB: parse HTTP request] → Server - Inspects Host header, URL path, HTTP method - Makes routing decisions based on request content </code></pre><hr> <h2 id="key-differences">Key Differences</h2> <table> <thead> <tr> <th></th> <th>NLB</th> <th>ALB</th> </tr> </thead> <tbody> <tr> <td>OSI layer</td> <td>L4 (TCP/UDP)</td> <td>L7 (HTTP/HTTPS)</td> </tr> <tr> <td>Routing basis</td> <td>IP + Port</td> <td>Host, Path, Header, Method</td> </tr> <tr> <td>Latency</td> <td>~100µs (ultra-low)</td> <td>~1ms</td> </tr> <tr> <td>Static IP</td> <td>Yes (1 per AZ)</td> <td>No (DNS-based)</td> </tr> <tr> <td>Throughput</td> <td>Millions of requests/sec</td> <td>Tens of thousands of requests/sec</td> </tr> <tr> <td>Protocols</td> <td>TCP, UDP, TLS</td> <td>HTTP, HTTPS, gRPC, WebSocket</td> </tr> </tbody> </table> <hr> <h2 id="routing-capabilities">Routing Capabilities</h2> <pre tabindex="0"><code>NLB: - Port-based routing only - :443 → Target Group A - :8080 → Target Group B ALB: - api.example.com/users → User service - api.example.com/orders → Order service - admin.example.com/* → Admin service - Header X-Version: v2 → V2 service </code></pre><p>With ALB, a single load balancer can route to multiple services by Host or Path. With NLB, you&rsquo;d have to split by port or deploy separate NLBs.</p>