2

I have the following setup on Amazon AWS:

  • An Auto-Scaling Group
  • An ELB
  • An RDS database
  • Everything is in the default VPC

The only thing about this setup that I don't quite understand yet relates to the security rules.

For the RDS instance, I want to:

  • allow port 3306 access only from the EC2 instances that are launched by the Auto-Scaling Group,
  • allow the same port 3306 access from my own IP.

I already have a SG set up for the latter that is working fine. However, I'm not sure how to go about the first point.

Various resources mention simply attaching the same SG the EC2 instances use to the RDS instance. But if, for example, the EC2 SG allows port 80 traffic for everyone, and if I use that same SG for the RDS instance, wouldn't that grant everyone port 80 access to the RDS instance as well?

So the question is: how do I create a SG that only allows the EC2 instances in the Auto-Scaling group access to the RDS' port 3306, and not everybody else?

Lastly, how do I create a SG for the EC2 instances that will only allow the ELB access?

I'd greatly prefer to use the AWS web UI for this. Thank you!

bobsoap
  • 161
  • 8

1 Answers1

4

To restrict RDS access to only your Auto Scaling EC2 instances, and to allow access to your EC2 instances only from your ELB, you're going to use the same method: add a rule to your security group based on a source security group (rather than a source IP address CIDR).

Assuming your EC2 instance(s) security group is sg-123, you would do the following:

  1. In the AWS Management Console, edit your RDS security group incoming rules.
  2. Add an incoming rule for port 3306. For the "source" field, where you would normally put an IP CIDR, instead put your EC2 instance's security group ID, eg. sg-123.
  3. Save your changes.

This will permit incoming to your RDS instance from any EC2 instance that has that security group attached.

You would do the same thing on your EC2 instance's security group for your ELB's security group. This will grant access to your EC2 instances from the ELB.

Matt Houser
  • 10,053
  • 1
  • 28
  • 28
  • Thank you! Until now, I had assumed that selecting a previous SG as source would simply pass through all the rules to the new one... but it seems it only acts as a reference instead. That fact isn't made very clear in Amazon's docs (or I was unable to find it). I also figured out that the Security Group UI in the VPC Console shows you a selection of the existing SGs, as opposed to the EC2 SG UI, which makes it easier. – bobsoap Feb 04 '16 at 07:14