I have a Next.JS React application on an EC2 instance and a backend NodeJS application on another EC2 instance.
They're both attached to the same security group, Sec Group 1, and the front end react app is attached to a security group with public access to the internet: 0.0.0.0/0, ::/0 port 80 & 443, Sec Group 2
This currently works because my IP address is in Sec Group 1, which they're both attached to, but it's not working when i try to access from another IP address or publicly.
I think it's because of the security group the backend API is in.
How do i secure this architecture without exposing the backend API to the public, and restrict access to the API only from the fronte end?
I want the front end to be the only one that can access the backend, so the public cannot directly access the backend API.
I'm also using the private IP address of the front end EC2 instance, addded to Sec Group 1 it's not working, this is based on this: EC2 security groups cannot communicate with each other
