AWS Instance Only Allow Traffic From Load Balancer

Question

I have a Load Balancer and Auto-Scaling Group. The Load Balancer sends traffic to my Auto-Scaling Group. I have two instances: Instance 7000 (which is listening on port 7000 and is part of the auto-scaling group and gets its traffic from the load balancer) and Instance 8545 (which is listening on port 8545 and is simply a single instance that is not part of the Load Balancer or the Auto-Scaling Group).

I have a load balancer security group ("LB-SG") and a security group for Instance 8545 ("App-SG"). I want Instance 8545 to only allow traffic from Instances that are part of the Load Balancer / Auto-Scaling Group. So I included "LB-SG" as an inbound rule for "App-SG" on port 8545 but it is not working. However, if I simply include the IP address for Instance 7000 on port 8545 as an inbound rule in "LB-SG" it works perfectly. But that doesn't solve my issue because if more instances get added by the Auto-Scaling Group or IP address changes then it won't work.

Edit: reworded for clarity

Answer 1

Your requirements are a little unclear, but here is the general use-case...

If you wish an instance to accept traffic from a Load Balancer, then:

• Create a Security Group for your Load Balancer ("LB-SG")
• Create a Security Group for your instances ("App-SG")
• In App-SG, permit inbound traffic on the desired port from LB-SG

That is, the App-SG rule specifically references LB-SG by its unique name (sg-abcd1234).

Result: Every instance associated with App-SG will permit inbound traffic that is coming from the Load Balancer.

Similarly, if you want a specific instance (Instance-A) to accept traffic from another instance (Instance-B), create a different security group for each instance and add a rule to the Instance-A security group to permit inbound traffic on a given port from the Instance-B security group.

There is no need to use IP addresses.