What format to use when entering an IP address into an EC2 Security Group rule?

Question

I am trying to configure secure ssh connection from bastion host (located in public subnet) to private linux instances (located in private subnet) in the same VPC.

When I add a security group rule for my private linux instance, initially it shows the rule as:

Please note that before adding the IP address of the bastion host, the water mark shows "CIDR, IP or Security Group", but when I add the IP address of the bastion host, it throws error as:

The source needs to be a CIDR block or a Security Group ID.

Why is not allowing me to enter the IP address of the bastion host here?

Answer 1

It appears that your situation is:

• You have an EC2 instance ("Bastion instance") in a public subnet, and you are able to SSH to it
• You have an EC2 instance ("private instance") in a private subnet
• You are configuring the Security Group associated with the private instance to permit SSH access only from the Bastion instance

I note that you are entering a Public IP address (52.63.198.234) in the Security Group. You should actually enter the Private IP address of the Bastion instance. This way, the traffic between the instances flows wholly within the VPC rather than leaving the VPC (to access the public IP address) and then coming back in again.

Actually, the recommended way to configure this setup is:

• Create a security group for your Bastion instance ("Bastion-SG")
• Create a security group for your private instance(s) ("Private-SG")
• Configure the Private-SG to permit inbound SSH traffic from Bastion-SG

By referring to the name of a security group, traffic will automatically be permitted from any EC2 instance that is associated with the named security group (in this case, any instance that is associated with the Bastion-SG). This means that instances can be added/replaced and traffic will still be permitted based upon the associated security group, rather than having to update specific IP addresses.

So, to answer your question... Yes, there are three ways to refer to the source. From the EC2 documentation Security Group Rules:

• An individual IP address, in CIDR notation. Be sure to use the /32 prefix after the IP address; if you use the /0 prefix after the IP address, this opens the port to everyone. For example, specify the IP address 203.0.113.1 as 203.0.113.1/32.
• An IP address range, in CIDR notation (for example, 203.0.113.0/24).
• The name (EC2-Classic) or ID (EC2-Classic or EC2-VPC) of a security group.

So, the IP address actually has to use CIDR notation, with /32 at the end. If you think that this doesn't quite match the hint of "IP" (and I'd tend to agree with you), feel free to hit the Feedback button in the console and provide your feedback to the EC2 Console team.