2

I have an instance that hosts a mongodb service and I am trying to allow incoming traffic for port 27017 from an autoscaling group of instances. I am adding the security group (that has the AG instances) I want to access the specific instance, but I see it times out.

Inbound rule:

enter image description here

I have tried allowing a specific address or 0.0.0.0 and it works. Only when I am specifying the security group id it doesn't work.

Any help on this highly appreciated.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
Michael Michelis
  • 139
  • 2
  • 7

1 Answers1

1

Assuming that you also have a Load Balancer, you would want three security groups:

  • ELB-SG: Allow incoming web traffic as appropriate (eg 80, 443). Associate it with the Load Balancer.
  • App-SG: Allow incoming traffic from ELB-SG. Associate it with the Auto Scaling Group, which will automatically assign it to the instances launched via Auto Scaling.
  • Mongo-SG: Allow incoming traffic from App-SG on port 27017. Associate it with the instance running Mongo.

Basically, have the security groups reference another Security Group and they will automatically accept traffic from instances associate with that other security group.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
  • Thanks for the answer, great detailed explanation. I was doing more or less the same but in the end the problem was that I was trying to access the instance using the public IP. If you reference another Security Group you need to access that instance from the *private IP* – Michael Michelis Dec 20 '18 at 15:24