Thursday, March 17, 2022

[SOLVED] Why does AWS Security group not allow inbound http traffic by sg-ID

Issue

I have an EC2 instance running an HTTP server in one security group (lets call it SG1) and a number of other EC2 instances in a second security group (SG2) which need to make requests to the first.

If I allow HTTP (TCP port 80) inbound traffic for 0.0.0.0/0, there is no problem.

If I replace that rule by specifying that inbound traffic is allowed from SG2 I can't access the server from anywhere (including the EC2 instances in SG2).

My ACL is permissive enough in either case (allowing all traffic) and regardless it doesn't change.

I should be able to allow inbound traffic by sgID as indicated by the following message that is displayed in the console when configuring SG1:

Determines the traffic that can reach your instance. Specify a single IP address, or an IP address range in CIDR notation (for example, 203.0.113.5/32). If connecting from behind a firewall, you'll need the IP address range used by the client computers. You can specify the name or ID of another security group in the same region. To specify a security group in another AWS account (EC2-Classic only), prefix it with the account ID and a forward slash, for example: 111122223333/OtherSecurityGroup.


Solution

The instances in SG2 need to access the instance in SG1 by using that instance's private IP address. That way the traffic stays inside the VPC and will remain associated with the instances in SG2, thus passing the Security Group rule. When you address the instance in SG1 using its public IP address the traffic leaves the VPC and goes out to the Internet and back, at which point the association with the security group SG2 is lost.



Answered By - Mark B
Answer Checked By - Marilyn (WPSolving Volunteer)