Cant connect to internet facing ELB from instance in VPC

Question

I have a V2 ELB that is internet facing. It routes requests to instances in VPC just fine when I connect to it from my laptop. However when I try to connect to it from another instance inside the same VPC the Security Group firewall rules block the connection.

The only way I can get the instances in VPC to connec to the ELB is by opening the https port (443) to the world.

What am I doing wrong?

The ELB (https://elb.domain.com) has the following attrs:

• Internet facing, V2 (not classic ELB)
• VPC: vpc-aaa
• AZs: subnet-a,subnet-b
• Listeners: 443 -> 8080 instance port
• source security group: my-vpc-elb, with inbound rules:
  • 443, source: 1.2.3.170/32 (my laptop IP)
  • 443, source: sg-a (the name of the sg that my vpc instance, that cant connect, is in)
  • 443, source <CIDR of vpc-aaa, 1.2.0.0/16>

From my laptop I can put in https://elb.domain.com and things work fine.

I now have another instance with the following attrs that can NOT connect to https://elb.domain.com:

• Subnet ID: subnet-a
• Security Group: sg-a

Why does the ELB Security group rule of 443, source: sg-a not allow the connection? Why does it only work when I allow inbound "All traffic" on 443 in the ELB security group?

Answer 1

Instances in VPC, when connecting to a public-facing load balancer will always exit the VPC and come back in from a public IP. In this scenario there is no way to lock inbound traffic by security group.

If the VPC instances trying to connect to the ELB do not need public IPs, you can simply setup an inbound rule on your ELB that only allows the source to be that of your VPC NAT Gateway(s).

If they do require public IPs, your are forced to specify AWS VPC public IP range, or if you use EIP you can specify the EIP(s).