Menu
I have two Elastic Beanstalk applications "a" and "b". Anyone should be able to talk to (a) over http, but only (a) should be able to talk to (b). I.e.
internet -> a -> b
Right now, everything works if both apps are fully open to the internet. But as soon as I try to restrict the security group for (b)'s ELB, (a) can't seem to connect anymore.
I.e. If I allow (b)'s load balancer security group to allow http:0.0.0.0/0, everything works. But if I set that same security group to allow only http:[(a)'s security group], (a) can no longer communicate with (b).
Both apps are in the same VPC. What am I missing?
-- Edit --
To be explicit:
Working:
App A's ELB Security Group Settings, to allow access from anyone to HTTP/S
App A's EC2 Security Group, to allow access only from A's ELB (yes, I'm missing https here, but that's OK for now)
App B's ELB Security Group, to allow access from anyone
App B's EC2 Security Group, to allow access only from B's ELB
NOT Working:
Everything same as above, but change B's ELB Security Group to only allow access from A's EC2 group. Heck, just to be sure, we'll add A's EC2 AND ELB.
App B's ELB Security Group, allowing access only from App A
330
If anyone has this working (as some have claimed), I'd be very interested in details. I signed up for a support account and opened a ticket with AWS, and officially they say this isn't possible:
After researching this more the setup that you are trying to implement isn't supported. In the section of the security group rules it states that when referencing a security group in a SG rule it allows access from the local IP addresses of instances associated with the source group, not their public or Elastic IP. Below is the documentation page with more information on the topic.
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html#security-group-rules
To accomplish what you want to do will require a bit more setup, but is possible.
Below I've included a link to a tutorial that lays out the process of deploying an EB environment into a VPC with instances in a private subnet as well as the process of setting up a NAT instance on AWS. Using this it will allow you to have your private EB applications instances accessible from only the public EB application.
I would recommend setting up a new VPC with this architecture in mind rather than try to modify your existing VPC.
http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo-vpc-basic.html http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance.html#NATInstance
I.e. the traffic between the two EB instances is from A's public IP address, but security groups only work against private IP addresses. I haven't finished reading yet, but it looks like the solution is to create a new VPC and NAT the two together, so all requests look like they're coming from the private IP addresses.
That's kind of gross, not the least of which is that creating all new VPCs would be a royal pain. So very curious if others out there have this working without that.
92
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
