my application has ELB, NGNIX and ECS in the web component layer and I am grouping all of them in to one security group and there is internal communication between ELB, NGNIX and ECS. I wanted to create self referential ports for the communication between these three, do i have to write self ingress rule or self outgress rule for this communication is the internal communication between these three inbound or outbound?
By creating a self-referencing rule, you can restrict the source to the same security group in the VPC, and it's not open to all networks. The default security group for your VPC might already have a self-referencing inbound rule for ALL Traffic.
To reference a security group in another AWS account, include the account number in Source or Destination field; for example, 123456789012/sg-1a2b3c4d . You cannot reference the security group of a peer VPC that's in a different Region. Instead, use the CIDR block of the peer VPC.
Instances associated with the same security group can't talk to each other unless you add rules allowing it (with the exception being the default security group). you have to add rules to make them able to communicate.
To view your security groups using the consoleOpen the Amazon VPC console at https://console.aws.amazon.com/vpc/ . In the navigation pane, choose Security Groups. Your security groups are listed. To view the details for a specific security group, including its inbound and outbound rules, select the security group.
The default Outbound security groups permit all traffic, so never change them unless you have a specific network requirement (such as enforcing additional restrictions to meet compliances).
You can configure a Security Group to permit Inbound connections from itself (that is, the security group has its own ID as the Source of the inbound connection). This would enable any Amazon EC2 instance that is associated with the security group to communicate with any other Amazon EC2 instance that is associated with the same security group (on the given port).
The important thing to note is that security groups are enforced at the instance level rather than traditional firewalls that work at the network level. Thus, there is no concept of multiple instances being "inside a security group". Rather, the security group is applied against traffic as it goes into each instance. Thus, the need to allow incoming connections from 'itself'.
A security group can be made to allow traffic from itself, however the SecurityGroup resource and its ingress rule need to be separated to avoid a circular dependency. For example;
ConsumerSG:
Type: 'AWS::EC2::SecurityGroup'
Properties:
VpcId: !ImportValue EnvVpc
GroupDescription: !Sub 'Security group which grants access to consuming apps'
ConsumerSGIngress:
Type: 'AWS::EC2::SecurityGroupIngress'
DependsOn: ConsumerSG
Properties:
GroupId: !Ref ConsumerSG
IpProtocol: tcp
FromPort: '5000'
ToPort: '5000'
SourceSecurityGroupId: !Ref ConsumerSG
This creates a security group which allows access from itself on port 5000
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With