my application has ELB, NGNIX and ECS in the web component layer and I am grouping all of them in to one security group and there is internal communication between ELB, NGNIX and ECS. I wanted to create self referential ports for the communication between these three, do i have to write self ingress rule or self outgress rule for this communication is the internal communication between these three inbound or outbound?
Asked
Active
Viewed 2.6k times
4 Answers
37
The default Outbound security groups permit all traffic, so never change them unless you have a specific network requirement (such as enforcing additional restrictions to meet compliances).
You can configure a Security Group to permit Inbound connections from itself (that is, the security group has its own ID as the Source of the inbound connection). This would enable any Amazon EC2 instance that is associated with the security group to communicate with any other Amazon EC2 instance that is associated with the same security group (on the given port).
The important thing to note is that security groups are enforced at the instance level rather than traditional firewalls that work at the network level. Thus, there is no concept of multiple instances being "inside a security group". Rather, the security group is applied against traffic as it goes into each instance. Thus, the need to allow incoming connections from 'itself'.
John Rotenstein
- 241,921
- 22
- 380
- 470
10
A security group can be made to allow traffic from itself, however the SecurityGroup resource and its ingress rule need to be separated to avoid a circular dependency. For example;
ConsumerSG:
Type: 'AWS::EC2::SecurityGroup'
Properties:
VpcId: !ImportValue EnvVpc
GroupDescription: !Sub 'Security group which grants access to consuming apps'
ConsumerSGIngress:
Type: 'AWS::EC2::SecurityGroupIngress'
DependsOn: ConsumerSG
Properties:
GroupId: !Ref ConsumerSG
IpProtocol: tcp
FromPort: '5000'
ToPort: '5000'
SourceSecurityGroupId: !Ref ConsumerSG
This creates a security group which allows access from itself on port 5000
-
1To allow multiple ports in this scenario: ESSecurityGroupIngressREST: Type: AWS::EC2::SecurityGroupIngress DependsOn: ConsumerSG Properties: GroupId: !Ref ConsumerSG IpProtocol: tcp FromPort: 9200 ToPort: 9200 SourceSecurityGroupId: !Ref ConsumerSG ESSecurityGroupIngressNode: Type: AWS::EC2::SecurityGroupIngress DependsOn: ConsumerSG Properties: GroupId: !Ref ConsumerSG IpProtocol: tcp FromPort: 9300 ToPort: 9300 SourceSecurityGroupId: !Ref ConsumerSG – Jenson Jan 27 '21 at 21:15
0
Sure, you will need an ingress rule with the port that the apps is listening.
By default egress is allow all for security group and sg is stateful so you don't need ingress rule for outgoing traffic to return
Dominic Nguyen
- 753
- 6
- 11
0
A quick additional piece of info, after some debugging "unreachable" instances in the same security group. Thanks to AWS's very nice ReachabilityAnalyzer, we found that by putting instance A as source and the public IP address of instance B as destination (both on the same security group with a self-reference inbound rule), the instance was "unreachable", with this clear and helpful error message:
IGW_NAT_REFLECTION: NAT reflection is not supported. Without NAT reflection, traffic originating in a VPC and destined for the public IP address of a resource in the same VPC can't be redirected back to the VPC.
In hindsight, of course, it makes sense. Sure enough, ssh-ing to the private IP address worked instantly.
Thank goodness for the reachability analyzer.
Pierre D
- 24,012
- 7
- 60
- 96