Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

AWS Security group include another Security Group

From the doc: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html#security-group-rules

Source or destination: The source (inbound rules) or destination (outbound rules) for the traffic. Specify one of these options:

(...)

Another security group. This allows instances associated with the specified security group to access instances associated with this security group. This does not add rules from the source security group to this security group. You can specify one of the following security groups:

The current security group.

As someone tried it?

I created 2 boxes BoxA, BoxB. I created a Security group GroupA with inbound from Source GroupA on port "All port". If I try from BoxA to telnet BoxB on port 9000 with BoxB having a simpleHttpServer on port 9000 I get nothing.

What could I do wrong?

like image 934
Regnoult Avatar asked Jul 31 '17 13:07

Regnoult


People also ask

Can you add a security group to another security group?

You can add an existing Security group to another existing Security group (also known as nested groups), creating a member group (subgroup) and a parent group. The member group inherits the attributes and properties of the parent group, saving you configuration time.

Can AWS security groups on one AWS account reference security groups in another?

To reference a security group in another AWS account, include the account number in Source or Destination field; for example, 123456789012/sg-1a2b3c4d . You cannot reference the security group of a peer VPC that's in a different Region. Instead, use the CIDR block of the peer VPC.

Can you have multiple security groups?

You can apply multiple security groups to a single EC2 instance or apply a single security group to multiple EC2 instances. System administrators often make changes to the state of the ports; however, when multiple security groups are applied to one instance, there is a higher chance of overlapping security rules.

Can multiple security groups be applied to a single VPC?

You can create additional security groups for each VPC. You can associate a security group only with resources in the VPC for which it is created. For each security group, you add rules that control the traffic based on protocols and port numbers.


2 Answers

I was confused about what it exactly means to add another security group in Source (Inbound Rules) and Destination (Outbound Rules) when adding a new rule. I found the explanation given below (source: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules) very useful.

"When you specify a security group as the source for a rule, traffic is allowed from the network interfaces that are associated with the source security group for the specified protocol and port. Incoming traffic is allowed based on the private IP addresses of the network interfaces that are associated with the source security group (and not the public IP or Elastic IP addresses). Adding a security group as a source does not add rules from the source security group."

like image 110
shashi Avatar answered Nov 16 '22 00:11

shashi


I found my answer: Can't communicate between two ec2 instances in the same security group via public ip address?

Need to use private IP or whitelist the public IPs. I wish it was described in the documentation.

like image 34
Regnoult Avatar answered Nov 16 '22 01:11

Regnoult