17

I have a Load Balancer and Auto-Scaling Group. The Load Balancer sends traffic to my Auto-Scaling Group. I have two instances: Instance 7000 (which is listening on port 7000 and is part of the auto-scaling group and gets its traffic from the load balancer) and Instance 8545 (which is listening on port 8545 and is simply a single instance that is not part of the Load Balancer or the Auto-Scaling Group).

I have a load balancer security group ("LB-SG") and a security group for Instance 8545 ("App-SG"). I want Instance 8545 to only allow traffic from Instances that are part of the Load Balancer / Auto-Scaling Group. So I included "LB-SG" as an inbound rule for "App-SG" on port 8545 but it is not working. However, if I simply include the IP address for Instance 7000 on port 8545 as an inbound rule in "LB-SG" it works perfectly. But that doesn't solve my issue because if more instances get added by the Auto-Scaling Group or IP address changes then it won't work.

Edit: reworded for clarity

connorvo
  • 761
  • 2
  • 7
  • 21

2 Answers2

34

Your requirements are a little unclear, but here is the general use-case...

If you wish an instance to accept traffic from a Load Balancer, then:

  • Create a Security Group for your Load Balancer ("LB-SG")
  • Create a Security Group for your instances ("App-SG")
  • In App-SG, permit inbound traffic on the desired port from LB-SG

That is, the App-SG rule specifically references LB-SG by its unique name (sg-abcd1234).

Result: Every instance associated with App-SG will permit inbound traffic that is coming from the Load Balancer.

Similarly, if you want a specific instance (Instance-A) to accept traffic from another instance (Instance-B), create a different security group for each instance and add a rule to the Instance-A security group to permit inbound traffic on a given port from the Instance-B security group.

There is no need to use IP addresses.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
  • So this is what I was trying and it wasn't working and that is why I am confused. I am doing that exact thing for two other instances and it works perfectly but permitting traffic from the load balancer to my "App-SG" is not working – connorvo Mar 12 '18 at 05:17
  • I have a load balancer that directs people to my target group which is listening on port 7000 (which is where my front-end is. I am using Ethereum for the back end so I have that on port 8545 and need to connect to that as well. So now I have two instances Instance 7000 (for port 7000) and Instance 8545 (port 8545). I have a load balancer security group ("LB-SG") and a Security Group ("App-SG") for Instance 8545. Instance 7000 has "LB-SG" and Instance 8545 has "App-SG" which allows "LB-SG". Not working for Instance 8545 but is working for Instance 7000. – connorvo Mar 12 '18 at 05:23
  • The LB-SG is only for the load balancer, it should not be associated with an instance. When people connect to the load balancer, it will send traffic to a target group. How do you want the load balancer to know whether to send them to port 7000 or port 8545? Or does the Load Balancer only use 7000 and you want to allow direct access on 8545? Your configuration is still very confusing. Feel free to Edit your question to explain it more clearly. – John Rotenstein Mar 12 '18 at 06:59
  • Completely reworded. Should make sense now. Your answer helped me word it much better – connorvo Mar 12 '18 at 17:37
  • I understand how to use this solution and perhaps why AWS decided to do it this way. It works, but every time I need to use it, I still have trouble understanding the logic behind it. It's hard to comprehend "how" this works. – Tuaris Jun 29 '22 at 07:20
  • @Tuaris Think of it as a security fence around each resource individually. The security group determines what can come in, and what can come out. It can also be smart like "Allow traffic from _that_ security group to come into _this_ security group". – John Rotenstein Jun 29 '22 at 07:35
  • Hey! New to AWS here... is this a safe way of authenticating micro services in a private VPC subnet as well? Did some research and it looks like JWTs or SSL handshakes are the typical ways of doing this but this seems like it should be safe – Jack Dec 30 '22 at 17:14
8

2nd attempt...

You should create three security groups:

  • LB-SG for the Load Balancer
    • Allow inbound 80/443
  • App-SG for the instances in the Auto Scaling group
    • Allow inbound 7000 from LB-SG
  • Extra-SG for the 8545 instance (I didn't know what to call it!)
    • Allow inbound 8545 from App-SG

Once again, there is no need to reference specific IP addresses.

Side-note: You said "allow traffic from Instances that are part of the Load Balancer / Auto-Scaling Group" -- instances are in the Auto Scaling group, but there are no instances in the Load Balancer. Therefore, I have assumed that the 8545 instance only receives traffic from the App-SG (7000) instances.

Update: Make sure the instances are communicating via Private IP addresses.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
  • Your assumption is correct, I want Instance 8545 to only receive from App-SG. The problem is, my setup has been exactly like what you described the whole time but it isn't working for Instance 8545. It won't allow traffic from App-SG, but if I directly add the IP of the Instance 7000 (which has uses App-SG), then it works. – connorvo Mar 12 '18 at 23:31
  • I think it has to be something to do with the load balancer because if I allow traffic from anywhere (or just put in the IP address) it works. Using security groups to allow inbound traffic from load balancer is not working – connorvo Mar 13 '18 at 17:57
  • I'm confused. Do you want the load balancer to send to the Auto Scaling group instances on 7000 _AND_ to the extra instance on 8545? Are they serving the same traffic? – John Rotenstein Mar 13 '18 at 20:17
  • No, you are correct in your initial thinking. The load balancer should only be balancing for instances on 7000 because that is the only port that will ever have multiple instances (because they are part of the auto-scaling group). The Instance on port 8545 will only ever be one instance (no scaling or load balancing). I just need the instances that are created as part of the auto-scaling group (which are all on port 7000) to be able to connect to the one single instance on port 8545. – connorvo Mar 13 '18 at 20:32
  • Then the above is correct -- a SG on the 8545 instance allowing incoming traffic on port 8545 from App-SG. Make sure you haven't changed the Outbound SG settings on App-SG. If the extra instance has only a private IP address (no public IP address), then feel free to open it from anywhere, since it will only accept local traffic from within the VPC. – John Rotenstein Mar 13 '18 at 21:52
  • I need to keep the security as tight as possible on Instance 8545 but the above is exactly what I have had and it is not working (hence why I am on stack overflow). And outbound connections are correct – connorvo Mar 13 '18 at 22:26
  • So you're saying that the three SGs in the above answer work OK as long as the Extra-SG accepts 8545 from 0.0.0.0/0 instead of App-SG? And all other ports are denied by default? For testing purposes, what if you entered the IP addresses of the existing Auto Scaling EC2 instances as the Source for Extra-SG, instead of App-SG? Does that work? – John Rotenstein Mar 13 '18 at 23:58
  • Yes, if Extra-SG accepts 8545 from 0.0.0.0/0 it works. Yes, adding the IP addresses of existing Auto Scaling EC2 also works. – connorvo Mar 14 '18 at 02:20
  • Also, if it helps any, I am accessing Instance 8545 from Instance 7000 in the code with http://INSTANCE8545IP:8545 – connorvo Mar 14 '18 at 19:39
  • 1
    In that case, using the `sg-xxxx` of App-SG should work just fine. Make sure you are accessing instance8545 via its private IP address, not a public IP address. – John Rotenstein Mar 15 '18 at 05:17
  • Using private IP fixed it. Why must you use private IP? – connorvo Mar 16 '18 at 19:56
  • Glad to hear it! Sorry I didn't think of this earlier to save you some trouble. When a Security Group refers to another Security Group, it uses the Private addresses of the instances. This works even in Private subnets where instances do not have Public IP addresses. It is also best for traffic between instances in the same VPC to use Private IP addresses so that traffic goes directly to the target instance. If instances communicate via Public IP address, then the traffic goes *out* of the VPC, out to the 'edge' of the Internet, then back *into* the VPC. – John Rotenstein Mar 16 '18 at 20:30