we have the following setting on AWS: 8 Elastic Beanstalk environments (4 QA, 4 PROD) read and write data. Typically, 1 environment (the API) always reads data from DynamoDB and RDS and 1 environment (the Jobs Server for the Data Gatherer) typically writes data.
In order to improve performance, we have created a memcached server that can be accessed by the application logic. Typically, the above mentioned API server tries to read from the cache (and adds, if it couldn't find the item), whereas the Jobs Server invalidates cache items, in order to force the API to read them from the database.
So far, so good, everything works fine. The main problem are now the security settings. memcached requires port 11211 to be open and the whole world can telnet to it and read our cache settings.
I set the security group of the memcached server first to allow only incoming connections from our VPN servers, so that our development machines can access it. Works fine, just 3 CIDRs. Then I tried to add the security groups of the Elastic Beanstalk environments to do the same. This does not seem to work anymore. I cannot access the memcached server from the Elastic Beanstalk servers. What I basically did on the CLI
aws ec2 authorize-security-group-ingress --group-name security-group-of-memcached-server --protocol tcp --port 11211 --source-group xxx-rds-associations --group-owner 517999993
where xxx-rds-associations is a security group of the Elastic Beanstalk environment and its instances. In order to avoid a stupid application configuration issue, I also RDPd into the server and tried to access the memcached server with telnet. Did not work either.
Is there a basic misunderstanding on my side? Does adding a security group to the source not allow the server having this group to access the target server?
Or did I simply miss something?
I welcome any input. Best regards Marco
