0

I have two sets of systems, in two different availability zones each with their own security groups A and B.

In the security group for zone A, I create an inbound rule that allows all incoming traffic from VMs in the zone B security group.

This works for the private IPs: VMs in B can connect to VMs in A when using private IPs of A. However this does not work for the public IPs.

Now, I understand why it doesn't work (AWS security group that allows instances within VPC to connect doesn't work over public IP), but is there a simple way to configure the zone A security group so that all public IPs associated with security group B would also be allowed?

That is, without tracking the public IPs and manually (or via API) maintaining them in the inbound rules next to the 'security group B' rule?

TTimo
  • 1,276
  • 1
  • 13
  • 20
  • Why would you want them to connect over public IP however? Not sure what your specific use case it, but ec2 instances within the same vpc would generally communicate with each other via private IP. – WarrenG Jun 05 '20 at 19:14
  • B could be on premise, or on another cloud. I have to special case the configuration rather than use public DNS of the hosts in A because of this. I know I pay for traffic when routing over the public IP, but that's fine, consistency is more important. – TTimo Jun 05 '20 at 19:18
  • I would still disagree that if B and A are in the same VPC that traffic should go out via the internet only to come back. Security, cost and latency implications are unnecessary. If you are however determined to go this way then your options would be to script the updating of the security group. EIP's shouldn't change often though. Another consideration would be to use Cloudformation to manage these resources, then any updates to the instances in your script would have similar changes to the rules for the security group. – WarrenG Jun 05 '20 at 19:32

1 Answers1

1

There is no functionality for a Security Group to reference "All public IP addresses used by resources that are in Security Group X".

Public IP addresses are assigned per-resource and are not associated with Security Groups.

You would need to manually update the Security Group with the relevant Public IP address. Or, if the resources are all in your AWS account, you could write a script that loops through the resources, obtains their Public IP address and adds them to the Security Group.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470