0

In EC2 classic you were about to reference another account's security group in your security group to limit ingress to an instance or ELB to members of that other account's security group.

I'd like to replicate this in a VPC only region (Sydney) where I have an internet facing ELB in a VPC that I need to restrict to only certain instances of another account. I wont know their IP addresses ahead of time.

Is this achievable?

Thomas James
  • 123
  • 4

2 Answers2

1

Not possible.

http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-vpc.html#differences

The most likely explanation for the different behavior seems like it would be the networking model of VPC and the way it differs from EC2-Classic.

Michael - sqlbot
  • 22,658
  • 2
  • 63
  • 86
0

use a security group reference. In the security group for the ELB, put the id of the security group you wish to allow in the source for your ingress rule.

Should be like sg-1tbkqraoed

David Mann
  • 1
  • 1
  • Will this work if the SG does not belong to the same account? – Thomas James Mar 12 '15 at 05:08
  • Give it a go, see what happens. I do this with CloudFormation but I'm not sure how to do it by the UI, you may need to use the AWS CLI. http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group-ingress.html#cfn-ec2-security-group-ingress-sourcesecuritygroupownerid – David Mann Mar 12 '15 at 05:33
  • http://docs.aws.amazon.com/cli/latest/reference/ec2/authorize-security-group-ingress.html Try that page, should give you info on how to achieve it. – David Mann Mar 12 '15 at 05:35
  • David, asking the question was to avoid wasting an hour waiting for stuff to spin up, hoping that someone has already tried it and can provide their wisdom to me, also then further documenting if it is possible and how or how to achieve the same result. According to your link it's not possible. > gives one or more other security groups (called the source groups ) permission to access a security group for your VPC. The security groups must all be for the same VPC. – Thomas James Mar 12 '15 at 06:16
  • This SO post may help: http://stackoverflow.com/questions/12465978/can-aws-security-groups-on-one-aws-account-reference-security-groups-in-another – ptierno Mar 12 '15 at 22:39