I have 2 security groups A1 and A2. There are some Ec2 instances belonging to A1 or A2 (not both).
Question: Only the EC2 instances belonging to A1 should be able to access instances belonging to A2.
i.e If I try to logon from my desktop machine (which is not on AWS) I should not be able to connect in anyway to machine on group A2.
Is it possible to create such a rule in AWS security group (for A2) as an inbound rule?
Thanks
Short answer: yes
You can use the name/ID of security group A1 as inbound rule source of group A2 (with EC2-Classic & EC2-VPC limitations described in docs)
For more information: Amazon Docs - Security Group Rules
For example, add an HTTP connection, (or whatever connection type you would like), choose custom rule, enter the security group id (such as sg-6a7dc12e), save that rule, then you do need to remove any rules that say "All Ips" or the allowed IP will override the block from everything but that security group.
For example if your protocol was HTTPS, you would want to remove this rule as it would still allow all other IPs to connect. HTTP, TCP, 80, 0.0.0.0/0
You just need to modify your A2 security group for allowing specific services for example:-
On your A2 SG you need to:--
allow required port eg. 3389 to ip_address of A1 instance(suppose ip address is 192.168.0.10) only
Type Protocol Port Source IP
rdp TCP 3389 192.168.0.10/32
Same way you can open as many as port required.
Yes, create allow particular traffic from Security group A1 to A2 on security group A2. while you configure, you can reference A1 security group ID on security group A2.
