Menu
From the doc: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html#security-group-rules
Source or destination: The source (inbound rules) or destination (outbound rules) for the traffic. Specify one of these options:
(...)
Another security group. This allows instances associated with the specified security group to access instances associated with this security group. This does not add rules from the source security group to this security group. You can specify one of the following security groups:
The current security group.
As someone tried it?
I created 2 boxes BoxA, BoxB. I created a Security group GroupA with inbound from Source GroupA on port "All port". If I try from BoxA to telnet BoxB on port 9000 with BoxB having a simpleHttpServer on port 9000 I get nothing.
What could I do wrong?
934
You can add an existing Security group to another existing Security group (also known as nested groups), creating a member group (subgroup) and a parent group. The member group inherits the attributes and properties of the parent group, saving you configuration time.
To reference a security group in another AWS account, include the account number in Source or Destination field; for example, 123456789012/sg-1a2b3c4d . You cannot reference the security group of a peer VPC that's in a different Region. Instead, use the CIDR block of the peer VPC.
You can apply multiple security groups to a single EC2 instance or apply a single security group to multiple EC2 instances. System administrators often make changes to the state of the ports; however, when multiple security groups are applied to one instance, there is a higher chance of overlapping security rules.
You can create additional security groups for each VPC. You can associate a security group only with resources in the VPC for which it is created. For each security group, you add rules that control the traffic based on protocols and port numbers.
I was confused about what it exactly means to add another security group in Source (Inbound Rules) and Destination (Outbound Rules) when adding a new rule. I found the explanation given below (source: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules) very useful.
"When you specify a security group as the source for a rule, traffic is allowed from the network interfaces that are associated with the source security group for the specified protocol and port. Incoming traffic is allowed based on the private IP addresses of the network interfaces that are associated with the source security group (and not the public IP or Elastic IP addresses). Adding a security group as a source does not add rules from the source security group."
110
I found my answer: Can't communicate between two ec2 instances in the same security group via public ip address?
Need to use private IP or whitelist the public IPs. I wish it was described in the documentation.
34
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
