2

I have a security group which has quite a few inbound rules. Can I reference to this group from another group so that the referencing group inherits all the rules from its parent?

For example:

  1. Group A
    • Port 3306. Traffic from X.X.X.X allowed.
    • Port 3306. Traffic from X.X.X.Y allowed.
    • Port 3306. Traffic from X.X.X.Z allowed.
  2. Group B
    • Traffic from Group A

The tooltip of the Source column in the inbound rules table says that I can do that:

enter image description here

However it doesn't work. The connections from the sources listed in the Group A are blocked on the instance assigned with the Group B

super.t
  • 2,526
  • 7
  • 32
  • 51

2 Answers2

3

There is no security group inheritance. Referencing a security group in the source field does not provide rule inheritance. Referencing a group in this way allows inbound access to group B from resources in A.

Note that you can assign multiple security groups to a single instance. So you should create a third security group with all the common rules, and assign that to all the instances that need those common rules.

Mark B
  • 183,023
  • 24
  • 297
  • 295
  • I didn't understand to adding Group A into Group B security group is NOT actually an inheritance? Second statement is not clear to me. I am trying to achieve the same where I creat a single group that manages restricted access via SSH to certain IPs. And other groups will inherit this SSH group to centralize control over EC2s security – Yasser AL-attas Nov 30 '20 at 15:22
  • There is no such thing as inheritance with security groups. This isn't object oriented programming. When one security group references another security group it simply means that network traffic is allowed from members of that other security group into members of this security group. – Mark B Dec 01 '20 at 13:54
  • @YasserAL-attas What you should probably do is have multiple security groups you assign to your EC2 instances, so the EC2 instances can "inherit" the SSH settings from one security group, and their other application specific security group rules from another security group. – Mark B Dec 01 '20 at 14:08
2

No that will not work. The reference of an SG by its ID only refers to any instance that uses that SG, and does not import its rules. Each security group needs to have explict rules for the traffic you want to allow.

Again, using an SG for the source only serves to reference instances that use that SG.

Rodrigo Murillo
  • 13,080
  • 2
  • 29
  • 50