0

Do inbound and outbound traffic rules apply to communication between processes inside an instances?

For example, My MongoDB instance is running on port 27017 while my Node.js app is listening to port 80 and 443 on the same server. If I have only opened port 80 and 443 outbound and inbound rules without opening 27017 outbound/inbound to the public, would my Node.js app still be able to connect to the MongoDB instance?

I am trying to limit my MongoDB instance to local connections to prevent remote ssh connections through this method, if possible.

Tim
  • 31,888
  • 7
  • 52
  • 78
J. C
  • 13
  • 3
  • 2
    Do you mean intra-process communication? Security groups do apply between instances, but not between processes on the same instance. – Tim May 15 '18 at 09:11

1 Answers1

2

Short Answer: No, they don't.

Long Answer: Security Groups work at the Virtual NIC level, which means that they're able to control what comes "in" to the EC2 instance and what goes "out" of it. Security Groups do not have any control over communication between processes within an operating system.

Secure way of doing this:

  1. Create a new VPC
  2. Create a public subnet that would host your Node.js application
  3. Create a private subnet that would host your MongoDB database
  4. Attach a security group [say sg-app to your EC2 instance hosting the Node.js application that allows Inbound and Outbound on ports 80 & 443 with the source and destination being 0.0.0.0/0
  5. Attach a security group [say sg-db to your EC2 instance hosting the MongoDB database that allows Inbound and Outbound on ports 27017 with the source and destination being sg-1 [Yes, you can specify a security group as a source/destination in your security group rules]
Abishay Rao
  • 346
  • 1
  • 2