2

I'm investigating security setting of an EC2 instance, and taking a look at security group setting. In one of the inbound rule's source, instead of source IP address, it has it's own security group's ID and Group name.

What does this mean?

Wataru Takahashi
  • 101
  • 4
  • 1
    This isn't a programming question so it's off-topic for Stack Overflow, but as the documentation will tell you, it permits access to members of that security group by private IP, rather than having to list each IP and keep updating the rules when the members change. – Adrian Aug 06 '19 at 18:48
  • right, so couple ec2 instances which belongs to same security group can be referred by the security name in the setting, that make sense! Thank you! – Wataru Takahashi Aug 11 '19 at 06:26

1 Answers1

8

In AWS, Security Groups are applied to each resource individually.

So, let's say you had:

  • A security group (App-SG) permitting inbound HTTP access on port 80
  • Two Amazon EC2 instances in a public subnet associated with App-SG

Even though both EC2 instances have the same security group, they are not able to SSH with each other. Some people sometimes say that the instances would be "in" the same security group (which gives the impression that they can communicate with each other), but it is more appropriate to say that the instances are associated with the same security group.

The thing to remember is that security group rules are applied to each instance individually.

So, if you wanted to permit both instances to SSH to each other, you could add an inbound rule to the security group:

  • Protocol: SSH (Port 22)
  • Source: App-SG

This says: "Allow any resource associated with this security group to receive traffic from any other resource associated with this security group on port 22".

You might say that security group can "communicate with itself", but the reality is that the same rules are applied separately on each resource.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
  • Hey sorry for late reply, and thank you that make a lot of sense! – Wataru Takahashi Aug 11 '19 at 06:25
  • Thanks for the clear explanation! It's now clear on how do I make all the nodes of a cluster(Cassandra or airflow or spark) communicate with each other without addition of IP addresses of all the nodes for each port in the SG rules. – PraveenDS Jul 06 '23 at 19:25