I am reading the AWS Certified Solutions Architect Official Study Guide book, and I came across the following information (see attached). My question is this: does the highlighted text mean that I can control if the traffic to my EC2 can only come from an instance that is assigned to a certain security group? if so, can anyone please give a simple explanation or reference about that? Thanks.
Asked
Active
Viewed 122 times
1 Answers
2
Yes.
So a very good example of where you could use this is as follows.
You have a Load Balancer, L, and a set of EC2's, E
L has a security group Ls, which permits ingress on port 443 to everywhere.
You have something running on port 8080 on the EC2s, but don't want that publicly exposed.
You could assign a security group to the EC2s, Es, and say "permit port 8080 inbound from these CIDRs. But then you have to give an ip address range to permit ingress.
As an alternative, you can add a security group rule to Es that says "permit TCP 8080 from source security group Ls"
That means, inbound traffic to Es is only permitted if it originates from the Ls security group.
This is a very neat way to lock your EC2s down to the Load Balancer, without needing to specify the Load Balancer's IP address (that is, if it even has one)
mcfinnigan
- 11,442
- 35
- 28
-
Thank you very much. One more question if you don't mind, is this doable through the EC2 security group dashboard? I didn't see an option to do what you said technically! I am sure it's because of my lack of experiance.. – Khadjiev Apr 14 '20 at 16:12
-
After rechecking this old question, yes this is the best practice and you can just choose among available security groups in the EC2 VPC and allow traffic from it. You can also select a prefix list. – Khadjiev Jan 20 '23 at 15:35
-
BTW, I used this procedure in AWS Lambda, and that was after configuring it to be deployed to a VPC, and then gave the Lambda functions an SG, which was in the whitelisted traffic sources in an RDS SG. – Khadjiev Jan 20 '23 at 15:36