How do I use AWS security groups to whitelist only certain EC2 instances?

Question

My understanding of AWS Security Groups is that it is essentially a whitelist.

Everything is blocked unless explicitly allowed.

Let's say hypothetically that I have some EC2 instances setup with autoscaling.

In the context of autoscaling, I won't necessarily know what those future IP's will be.

Say I have a set of EC2 instances that are used for databases like mysql or MongoDB.

I want to only allow my application servers to be able to access my database servers.

Is there a way to create a tag for an EC2 instance and per the security group, allow any EC2 instance with a certain tag?

How is this usually done in the real world?

Answer 1

You can use security groups as classifiers, so use the groups “id” for the “source” field.

For instance:

• Consider having a cluster of web servers who belong to a ‘web’ security group (sg-12345)
• Consider having a cluster of database servers who belong to a 'db' security group (sg-23456)
• You can allow port 3306 from your “db” security group to sg-12345. Until new instances are created in the ‘web’ security group, they will have access to ‘db’ on port 3306.

Want more insights on AWS, Check out AWS Online Training!