Source security group isn't working as expected in AWS

Question

I have an EC2 node, node1 (security group SG1) which should be accessible from another EC2 node, node2 (security group SG2) on port 9200. Now, when I add an inbound rule in SG1 with port 9200 and specify SG2 as the source in the Custom IP section, I can't access node1 from node2. On the other hand, if I specify an inbound rule in SG1 with source as 0.0.0.0/0 or IP of node2, it works fine. What is wrong in my approach?

Answer 1

Are you attempting to connect to node1's public or private address? From the documentation:

When you specify a security group as the source or destination for a rule, the rule affects all instances related to the security group. For example, incoming traffic is allowed based on the private IP addresses of the instances that are related to the source security group.

I've been burned on this before by trying to connect to an EC2 instance's public address... sounds very similar to your setup, actually. When you wire up the inbound rule so that a source is a security group, you must communicate through the source instance's private address.

Some things to be aware of:

• In EC2 Classic, private IP addresses can change on stop/start of an EC2 instance. If you are using EC2 classic you may wish to look into this discussion on Elastic DNS Names for an additional static addressing solution.
• If you set up your environment in VPC, private IP addresses are static. Security group membership of running instances can also be changed.

More links:

• https://forums.aws.amazon.com/message.jspa?messageID=373162
• https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-vpc.html