Explore Courses Blog Tutorials Interview Questions
0 votes
in AWS by (19.1k points)

My understanding of AWS Security Groups is that it is essentially a whitelist.

Everything is blocked unless explicitly allowed.

Let's say hypothetically that I have some EC2 instances setup with autoscaling.

In the context of autoscaling, I won't necessarily know what those future IP's will be.

Say I have a set of EC2 instances that are used for databases like mysql or MongoDB.

I want to only allow my application servers to be able to access my database servers.

Is there a way to create a tag for an EC2 instance and per the security group, allow any EC2 instance with a certain tag?

How is this usually done in the real world?

1 Answer

0 votes
by (44.4k points)
edited by

You can use security groups as classifiers, so use the groups “id” for the “source” field.

For instance:

  • Consider having a cluster of web servers who belong to a ‘web’ security group (sg-12345)
  • Consider having a cluster of database servers who belong to a 'db' security group (sg-23456)
  • You can allow port 3306 from your “db” security group to sg-12345. Until new instances are created in the ‘web’ security group, they will have access to ‘db’ on port 3306.
Want more insights on AWS, Check out AWS Online Training!

Related questions

Want to get 50% Hike on your Salary?

Learn how we helped 50,000+ professionals like you !

0 votes
1 answer

Browse Categories