1

I have a security group that contains all the IP range of my company and some ports it should be able to connect to defined in its inbound rule.

I understand that you can use a security group id as a custom source in another security group, which works for connections coming from instances with that security group attached to it.

Does this also mean that IP addresses specified in that security group works also?

So I want an RDS instance to accept connections from my company's IP range, I would just reference the security group and not just the instances/lambdas tagged with that security group ID.

This would save the stress of having to list those IP's any time I need them whitelist, rather I would just reference the security group.

Is this possible?

Phil
  • 143
  • 1
  • 8
  • 1
    a shortcut would be to use the subnet and internal ips of your VPC. so when you add 172.34.0.0/16, it would accept all communications internally! – saviour123 Mar 27 '19 at 15:35
  • If there are public IPs, just add them manually, eith one by one or with IP block! – saviour123 Mar 27 '19 at 15:36
  • I'll like to have a security group that contains all these – Phil Mar 27 '19 at 15:38
  • The security group doesn't handle the IPs in the security group rules. But the instance its attach to. This means that, when you add sec group to rds, it would accept communications from that server! you can also attach the same sec group to multiples servers! – saviour123 Mar 27 '19 at 15:40
  • I guess that answers my question. It would have been awesome if this was possible. Adding the IP block as suggested is pretty easy too, but having a way to define them somewhere(what looks like a security group) especially if you have external clients with public facing IP address, it would be easy to grant them access to 1 or more of your resources by groups or whatsoever. – Phil Mar 27 '19 at 15:49
  • I think you can use "Managed Prefix Lists" in the VPC section in order to define your IP ranges of your companies and reference those prefix lists in security groups. – Aydin K. Mar 23 '23 at 13:59

1 Answers1

1

The use case you're describing is not possible. As stated in the AWS document,

Another security group. This allows instances associated with the specified security group to access instances associated with this security group. This does not add rules from the source security group to this security group.

sudo
  • 181
  • 4