0

I have created 2 security groups separately. One for an ec2-instance running in the public subnet and another one for an ec2-instance running in the private subnet.

I want to securely ssh into the private instance from the public instance.

Is the below port configurations for private security group is correct or any other ports need to be opened? Do these security groups ports need to be connected in some-way for ssh-ing into the private instance? (I have created vpc, a public and private subnet,eip,nat-gateway).

public_sgGroup.tf

resource "aws_security_group" "public_sg" {
  name = "Public_sg"
  description = "Security Group for Public instance-Bastion"
  

  ingress {
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
  
  egress {
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["${var.s_group_vpc_cidr}"]
  }

  egress {
    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
    ipv6_cidr_blocks = ["::/0"]
  }

   egress {
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
    ipv6_cidr_blocks = ["::/0"]
  }

  tags {
    Name = "Public_sgGroup"
  }
}

private_sgGroup

resource "aws_security_group" "private_sg" {
  name = "Private_sg"
  description = "Security Group for Private instance"
  

  egress {
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
  
  ingress {
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["${var.s_group_vpc_cidr}"]
  }

  ingress {
    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
    ipv6_cidr_blocks = ["::/0"]
  }

   ingress {
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
    ipv6_cidr_blocks = ["::/0"]
  }

  tags {
    Name = "Private_sgGroup"
  }
}

Thanks in advance.

Thra
  • 87
  • 2
  • 11
  • 2
    This appears like it should work. Have you tried it yet? Did you run into some sort of issue? I suggest using `security_groups` instead of `cidr_blocks` in the private instance's `ingress` block, so you can only ssh from the public instance, instead of from any server in the public subnet. – Mark B Aug 29 '20 at 17:48
  • 1
    So what is the problem? You can't ssh into the bastion, or from bastion to second instance? – Marcin Aug 29 '20 at 23:09
  • OP will have a problem with such limited egress rules. right? – spazm Feb 11 '22 at 22:33

0 Answers0