AWS Security group include another Security Group

Asked 31/7, 2017 at 13:10 Answered 24/2, 2021 at 14:12

Solved amazon-web-services security aws-security-group

From the doc: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html#security-group-rules

Source or destination: The source (inbound rules) or destination (outbound rules) for the traffic. Specify one of these options:

(...)

Another security group. This allows instances associated with the specified security group to access instances associated with this security group. This does not add rules from the source security group to this security group. You can specify one of the following security groups:

The current security group.

As someone tried it?

I created 2 boxes BoxA, BoxB. I created a Security group GroupA with inbound from Source GroupA on port "All port". If I try from BoxA to telnet BoxB on port 9000 with BoxB having a simpleHttpServer on port 9000 I get nothing.

What could I do wrong?

Digestant answered 31/7, 2017 at 13:10 Comment(1)

The url changed. docs.aws.amazon.com/AWSEC2/latest/UserGuide/… – Amby 2/11, 2022 at 7:40

I was confused about what it exactly means to add another security group in Source (Inbound Rules) and Destination (Outbound Rules) when adding a new rule. I found the explanation given below (source: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules) very useful.

"When you specify a security group as the source for a rule, traffic is allowed from the network interfaces that are associated with the source security group for the specified protocol and port. Incoming traffic is allowed based on the private IP addresses of the network interfaces that are associated with the source security group (and not the public IP or Elastic IP addresses). Adding a security group as a source does not add rules from the source security group."

Shick answered 11/9, 2019 at 16:56 Comment(1)

For those who want an updated link to documentation relevant to this topic (original link no longer contains that detailed explanation), docs.aws.amazon.com/vpc/latest/userguide/… – Autocatalysis 20/6, 2023 at 15:26

I found my answer: Can't communicate between two ec2 instances in the same security group via public ip address?

Need to use private IP or whitelist the public IPs. I wish it was described in the documentation.

Digestant answered 31/7, 2017 at 13:13 Comment(1)

It is described in the documentation: docs.aws.amazon.com/AWSEC2/latest/UserGuide/… "When you specify a security group as the source or destination for a rule, the rule affects all instances associated with the security group. Incoming traffic is allowed based on the private IP addresses of the instances that are associated with the source security group (and not the public IP or Elastic IP addresses)" – Defamatory 31/7, 2017 at 14:3

I also ran into this issue and found adding public IPs to another security group then selecting that security group as the source did not work.

I found a work around and you can allow multiple security groups to a EC2 and that worked for me.

Everson answered 24/2, 2021 at 14:12 Comment(0)

Recommended topics

Hot tags