我有，我已经安装了MySQL的一个EC2实例。该服务器监听来自任何IP连接（绑定地址= 0.0.0.0）。

I have an ec2 instance where I have installed mysql. The server listens to connections from any ip (bind-address = 0.0.0.0).

我已经设置了MySQL的安全组中，这样只有我的web应用程序实例可以远程连接到MySQL数据库的方式。 为此，我增加了一个web应用-SG安全组到我的实例（Web应用-SG限制为HTTP，HTTPS和SSH） 那么对于我的MySQL实例，我只是用web应用程序，曙光集团源。我已验证 1.我不能远程从外部EC2实例登录 2.在EC2实例，我必须在一个EC2实例具有安全组= web应用-SG

I have set up the mysql security group in such a way that only my webapp instances can connect remotely to the mysql db. For this I added a webapp-sg security group to my instance (webapp-sg restricts to http, https and ssh) Then for my mysql instance, I simply used the webapp-sg group as the "source". I have verified that 1. I can not remotely log in from outside ec2 instances 2. Within ec2 instance, I have to be on an ec2-instance that has the security group =webapp-sg

然而，Web应用程序实例和MySQL数据库之间的流量仍然会以明文形式。有哪些影响？ （我看到，建议上面的设置了许多文章）。 千万人使用mysql的通过SSL这个 - 我怀疑会有性能问题？ 抑或AWS VPC解决此问题？

However, traffic between the webapp instance and mysql db would still be in clear text. What are the implications? (I see many articles that recommend the above set up). Do people use "Mysql over ssl" for this - I suspect that would have performance implications? Or does aws vpc resolve this?

推荐答案

简短的回答：这是推荐的方式进行操作。去了。

Short answer: this is the recommended way to operate. Go for it.

长：这要看情况。要看你是愿意花保障您的应用程序需要，以及工作的复杂性，可用性和维护量的水平。 虽然从理论上讲，建议，任何机器间通信应该被加密，特别是像公共云的多租户环境 - AWS已经花了很多的努力，使他们的基本安全组，提供了坚实的。 看到网络安全一章

Longer: It depends. Depends on the level of the security your app requires, and amount of work, complexity, availability and maintenance you are willing to spend. While theoretically it is advised that any inter-machine traffic should be encrypted, especially on a multi-tenant environment like public clouds - AWS has spent a lot of effort to make their basic security groups offering a solid one. see 'Network Security' chapter

这，将使双方窃听或数据包欺骗的可能性很小。 如果你是现实的，有一个更大的机会（数量级），黑客可以使用你的Web应用程序的错误和漏洞为主要攻击手段。

That, would make both eavesdropping or packet-spoofing very unlikely. If you'll be realistic, there is a greater chance (by orders of magnitude) that hackers could use your web app bugs and vulnerabilities as the primary attack vector.

另外可能​​的，是一个安全组配置错误的机会。竭诚服务，如 Dome9 和的 Newvem 可能有助于获得洞察力和管理您的安全配置。 （披露 - 我Dome9联合创始人）

Also probable, is a the chance of security groups misconfiguration. Dedicated services like Dome9 and Newvem might assist in getting insights and in managing you security configurations. (disclosure - I'm Dome9 co-founder)

最后，VPC。 虽然没有architectually太大的EC2不同，建议，因为它带来了更多的配置能力，以及第二方法来执行你的政策（网络访问控制列表）。 这可能会引入一些复杂性和更多的维护，但可减少错误配置的效果。

Last, VPC. While not architectually much different from EC2, it is recommended since it brings more configuration power, and a 2nd method to enforce your policy (Network ACLs). This might introduce some complexity and more maintenance, but can reduce misconfiguration effects.