Does AWS Security Group see only Private addresses when it is specified as a source/destination in inbound or outbound rules?

Question

I have 2 instances in the same AZ and both have Public IP addresses. I have a added security group to both instances allowing inbound ICMP ping with source as same security group. When I ping the Private IP address, ping succeeds. However, when I ping the Public IP address, ping fails.

• Is the security group as a 'source' (or destination) limited only to the Private IPs of instances in that group? Why does security group as a 'source' not recognize Public IP addresses?

On the contrary when I change the source to be 0.0.0.0/0, pinging the Public IP succeeds.

Answer 1

Technically, the public IP address is not attached to the EC2 instance or its Elastic Network Interface (ENI). Inside the VPC, everything only knows and uses the private IP addresses. The public IP address is managed by the Internet Gateway, which translates the public IP into the private IP and vice versa for incoming and outgoing traffic.

This means when you ping the public IP of another instance, the packet leaves the Security Group towards the Internet Gateway, and then comes back in. So from the target instance’s perspective, it comes from the Internet and therefore is blocked by the Security Group.

Answer 2

Security groups can perform both public and private evaluations against IP addresses (also IPv4 and IPv6).

Evaluations can only be performed on security groups as the source if it can identify that the source is another AWS resource.

By connecting as a public IP it leaves the AWS network and loses that metadata, it then comes back inbound into AWS whereby its just another public IP address.

If you use the public hostname instead, AWS will translate this to the private IP address before it leaves AWS so the security group evaluation will work.