2

I have two AWS EC2 instances that are trying to talk to each other over a custom TCP port. Each instance has its own security group, but neither can talk to each other.

Here's my setup:

EC2 Instance 1

  • Name: instance-1
  • Public IP address: aaa.bbb.ccc.ddd
  • Security group ID: sg-xxxxxxxxxx1
  • SG inbound rules: none
  • SG outbound rules:
    • Type: All traffic, Protocol: All, Port Range: All, Destination: 0.0.0.0/0

EC2 Instance 2

  • Name: instance-2
  • Public IP address: www.xxx.yyy.zzz
  • Security group ID: sg-xxxxxxxxxx2
  • SG inbound rules:
    • Type: Custom TCP Rule, Protocol: TCP, Port Range: 12345, Source: sg-xxxxxxxxxx1

SG outbound rules:

  • Type: All traffic, Protocol: All, Port Range: All, Destination: 0.0.0.0/0

The problem

Whenever instance-1 tries to initiate a TCP request to www.xxx.yyy.zzz:12345, the connection times out.

If I add the following inbound rule to instance-2's SG, it works just fine:

  • Type: All traffic, Protocol: All, Port Range: 12345, Source: 0.0.0.0/0

Summary

I need instance-1 to talk to instance-2 without allowing traffic from anywhere to access port 12345. Is there a way to do this?

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
teuber789
  • 1,527
  • 16
  • 28
  • It seems like instance-1 is trying to connect to instance-2 via a public IP. Or the security groups are not set up as you describe them. Rather than summarize the SG rules, please edit your question and include the _exact_ output of `aws ec2 describe-security-groups` for the groups in question. – guest May 15 '19 at 22:01
  • Ah! Good point! The configuration seems correct, assuming they are connecting via a private IP address. Using a Public IP address would not work. – John Rotenstein May 16 '19 at 00:02

1 Answers1

5

You cannot access a public IP using a security group as the incoming source.

When you specify a security group as the source or destination for a rule, the rule affects all instances associated with the security group. Incoming traffic is allowed based on the private IP addresses of the instances that are associated with the source security group (and not the public IP or Elastic IP addresses). For more information about IP addresses, see Amazon EC2 Instance IP Addressing.

Use the private IP address or use the public IP as the source.

References

Security Group Connection Tracking

kenlukas
  • 3,616
  • 9
  • 25
  • 36