0

If I have VPC1 with security group (sg-aaaaaaaa) that allows ssh access from source 10.10.10.10/32 and I peer VPC1 with VPC2 that has a security group (sg-bbbbbbbb) that allows ssh access from source sg-aaaaaaaa (the SG from VPC1). If I assign the SG (sg-bbbbbbbb) from VPC2 to an EC2 instance, should I then be able to login to that EC2 instance in VPC2 from 10.10.10.10?

I'm trying to recycle my SG's between a dev and prod VPC so I don't have to make changes in multiple places if I have to add/remove access for stuff like SSH. Is this possible? or have I misunderstood the ability w/ VPC peering, b/c its not working for me the way I have it setup.

veilig
  • 161
  • 6

1 Answers1

1

No... that isn't what it means when you specify a security group as a source, instead of an IP address. It's not inheritance or aggregation.

If you, for example, in sg-bbbbbbbb allow SSH from sg-aaaaaaaa, this means any instance that is a member of sg-aaaaaaaa can SSH into instances that are members of sg-bbbbbbbb. The rules in sg-aaaaaaaa are not propagated into sg-bbbbbbbb.

When you specify a security group as the source for a rule, this allows instances associated with the source security group to access instances in the security group. This does not add rules from the source security group to this security group. Incoming traffic is allowed based on the private IP addresses of the instances that are associated with the source security group (and not the public IP or Elastic IP addresses).

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html#SecurityGroupRules

Michael - sqlbot
  • 22,658
  • 2
  • 63
  • 86