1

I have some EC2 instances setup with auto scaling. It scaling up and down according to resource usage. These servers accessing some other Ec2 instance and rds instance. It connect using public ip (not using internal/private IP).

Each time new servers created, I have to update other server security group with new ip and logically its impossible, otherwise I have to configure security group to accept traffic from any IP.

How do I automatically white list new IPs on security group and delete those IPs when removing servers ?

Is it possible to attach set of elastic IPs to auto scaling group?

Thank you!

adminz
  • 215
  • 1
  • 2
  • 13

1 Answers1

2

You shouldn't be using IP addresses in the security group in this scenario. In the security group rule you should be specifying the ID of the security group that the instances belong to.

Mark B
  • 183,023
  • 24
  • 297
  • 295
  • I have allowed 3306 for my web security group (which belogs to the autoscaling severs) on my db server security group. But its not working and while investigating it seems because of we use public ip for connecting. – adminz Nov 13 '17 at 18:14
  • 2
    When you use the public IP to connect, the security group rule will not apply. However, private IP addresses will also not apply. This is because the connection actually leaves your VPC and returns, thus losing any knowledge of your internal VPC. Solve your public IP problem first, then you can use the security group. – Matt Houser Nov 13 '17 at 18:28
  • 2
    If the communication is between instances in your VPC then you should not be using public IP addresses. Switch to private IPs. – Mark B Nov 13 '17 at 18:46
  • 3
    Also, you are paying more money by communicating via Public IP addresses (1c/GB). If you communicate via private IP addresses in the same VPC, there is no data transfer charge. – John Rotenstein Nov 13 '17 at 21:02
  • Thank you all. will switch to private ip. Why I'm not using private IP, because if we switch to new server due to any emergency we have to update new ips everywhere in code. If it is public IP we can easily switch elastic ip to new server. – adminz Nov 14 '17 at 14:49
  • 1
    If you have code pointing to an IP address you should change that to point to a domain name. Attach a Route53 Private Hosted Zone to your VPC, and add a DNS record there that points to the IP address. Then whenever that IP changes you just have to update one DNS record instead of updating any code. – Mark B Nov 14 '17 at 15:00