0

I have two beanstalks and for both the ec2s are in a the same private subnet(so their vpc is the same as well). And I have their loadbalancers in the same public subnets.

One is called API and another UI. I need the API one just to give access to the UI one

so this is what I did:

1) The loadbalancer on UI will accept any external request so the security group there is widely open. and the Ec2 of the UI will accept the loadbalancer security group as follows:

enter image description here

2) The Ec2 of the beanstalk on UI needs to talk to the loadbalancer of API so the API security group should accept the security group of EC2 of UI beanstalk as a source

enter image description here

Now when I run the UI beanstalk to talk to API the security group of the loadbalancer on beanstalk wont allow it bur as soon as I add 0.0.0.0 to the security group of loadbalancer on API(which means open access to public) (and the Ec2 of the API beanstalk will talk to API loadbalancer which is work fine) then everything works fine.

Any idea how I can make it work?

Hamed Minaee
  • 2,480
  • 4
  • 35
  • 63
  • So the UI instances need to talk to the API instances via the API LB? Did you configure the API LB to allow inbound from the SG of the API instances? PS if you don't need to expose the API service to the public then you should use an internal (non-public) LB between the UI and the API. – jarmod Nov 28 '17 at 18:10
  • @jarmod actually API LB to API instance is not a problem I think because when I change the Sucurity groups of API ELB to accpet any IP as a source then the issue will be fixed without even touching the security groups of API instances – Hamed Minaee Nov 28 '17 at 18:22
  • But why would you want to allow *any* IP? Is it designed to be a public endpoint? – jarmod Nov 28 '17 at 18:23
  • @jarmod actually I do not want to allow any ip and I just need to allow UI Ec2 but when I set the security groups as I mentioned above then it stops working though I think when I point the source of the ELB for API to the security group on UI it should work. Shouldn't it? – Hamed Minaee Nov 28 '17 at 18:39
  • @jarmod so here is my theory that I think it should work: anywhere -> UI ELB -> UI Ec2 should have UI ELB as a source -> ELB API should allow UI Ec2 as a source -> API Ec2 should allow ELB API as a source – Hamed Minaee Nov 28 '17 at 18:43
  • @Hamed Minaee Can you please create a new SG (sg-1234). Then add an inbound rule for the desired traffic and use sg-1234 as the source. Then attach this SG to both ENIs? Looks like the API ELB's SG is not configured properly. – sudo Nov 28 '17 at 19:19
  • @sudo thanx for answering so you think adding fresh new SG will overwrite the existing one and may work? – Hamed Minaee Nov 28 '17 at 19:22
  • @HamedMinaee I must admit, I found the question confusing and I believe it should work. Since the expectation is to enable communication between two ENIs, why not create a single SG, specify itself as a source security group in its inbound rules and attach with the ENIs? – sudo Nov 28 '17 at 19:27
  • @jarmod seems that internal works anyway. SO should I put the internal in private subnet? – Hamed Minaee Nov 28 '17 at 20:33
  • @sudo I tried it but the same result – Hamed Minaee Dec 02 '17 at 17:07

0 Answers0