Cloudformation Security Group

Question

I am trying to create a cluster of ElasticSearch servers on EC2. ElasticSearch uses a few defined ports to replicate and perform tasks like leader election. I want to create a security group in my CloudFormation‎ template that locks down these ports such that only servers in this ElasticSearch server cluster can communicate with each other.

Is there a simple means by which I can identify a group of servers as a cluster and then assign port access to only those servers?

I may be missing something obvious, but I can't get my CloudFormation‎ template to build the model I want.

Updated with my existing SG. This complains about circular reference.

ESSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
        GroupDescription: ES Node SG
        VpcId: !FindInMap [ EnvParams,  !Ref EnvironmentName, vpc ]
        SecurityGroupIngress:
            - FromPort: 9200
              ToPort: 9200
              SourceSecurityGroupId: !Ref ESSecurityGroup
              IpProtocol: tcp
            - FromPort: 9300
              ToPort: 9300
              SourceSecurityGroupId: !Ref ESSecurityGroup
              IpProtocol: tcp

Answer 1

You identify a group of EC2 instances by associating the same security group with each of the instances. That is the grouping.

To allow inbound traffic on specific ports from instances within the same security group, add an inbound rule where the source of the traffic is the security group itself. Use private IPs to communicate between the instances.

BTW you can see this pattern with the default security groups that AWS creates on your behalf. These default security groups specify themselves as a source security group in their inbound rules.