2

I have a circular dependency problem. I'm trying to create security group for an autoscaling group that allows traffic to an RDS MySQL DB instance. Similarly I want to create a security group for the RDS instance that allows traffic from the autoscaling group but they both depend on each other. What might be the best way to solve it?

  AutoscalingSecurityGroup:
    Type: 'AWS::EC2::SecurityGroup'
    Properties:
      GroupDescription: Security group for autoscaling
      VpcId: !Ref VPC
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 3306
          ToPort: 3306
          SourceSecurityGroupId: !Ref RDSSecurityGroup
      SecurityGroupEgress:
        - IpProtocol: tcp
          FromPort: 3306
          ToPort: 3306
          SourceSecurityGroupId: !Ref RDSSecurityGroup

  RDSSecurityGroup:
    Type: 'AWS::EC2::SecurityGroup'
    Properties:
      GroupDescription: Security group for RDS instance
      VpcId: !Ref VPC
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 3306
          ToPort: 3306
          SourceSecurityGroupId: !Ref AutoscalingSecurityGroup
      SecurityGroupEgress:
        - IpProtocol: tcp
          FromPort: 3306
          ToPort: 3306
          SourceSecurityGroupId: !Ref AutoscalingSecurityGroup

Any ideas of how I'd solve it? TIA

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
MikeMac
  • 47
  • 2

2 Answers2

2

One option is to create two security groups without configuring SecurityGroupIngress and SecurityGroupEgress properties.

AutoscalingSecurityGroup:
    Type: 'AWS::EC2::SecurityGroup'
    Properties:
      GroupDescription: Security group for autoscaling
      VpcId: !Ref VPC

RDSSecurityGroup:
   Type: 'AWS::EC2::SecurityGroup'
   Properties:
     GroupDescription: Security group for RDS instance
     VpcId: !Ref VPC

Then add AWS::EC2::SecurityGroupIngress and AWS::EC2::SecurityGroupEgress resources to configure Ingress and Egress rules in the same template/stack.

For example:

RDSSecurityGroupIngress:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: !Ref AutoscalingSecurityGroup
      IpProtocol: tcp
      FromPort: 3306
      ToPort: 3306
      SourceSecurityGroupId: !Ref AutoscalingSecurityGroup 

RDSSecurityGroupEgress:
   Type: AWS::EC2::SecurityGroupEgress
   Properties:
     GroupId: !Ref AutoscalingSecurityGroup
     IpProtocol: tcp
     FromPort: 3306
     ToPort: 3306
     DestinationSecurityGroupId: !Ref AutoscalingSecurityGroup 



AutoscalingSecurityGroupIngress:
   Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: !Ref RDSSecurityGroup
      IpProtocol: tcp
      FromPort: 3306
      ToPort: 3306
      SourceSecurityGroupId: !Ref RDSSecurityGroup 

 AutoscalingSecurityGroupEgress:
    Type: AWS::EC2::SecurityGroupEgress
    Properties:
      GroupId: !Ref RDSSecurityGroup
      IpProtocol: tcp
      FromPort: 3306
      ToPort: 3306
      DestinationSecurityGroupId: !Ref RDSSecurityGroup
SwathiP
  • 315
  • 3
  • 5
2

The previous answer has GroupId & Source/DestinationSecurityGroupId mixed up. I also think the security group rules can be simplified. Security groups are stateful and thus the return traffic is allowed by default. So, the above rules can be simplified as per below.

AutoscalingSecurityGroup:
  Type: 'AWS::EC2::SecurityGroup'
  Properties:
    GroupDescription: Security group for autoscaling
    VpcId: !Ref VPC

RDSSecurityGroup:
  Type: 'AWS::EC2::SecurityGroup'
  Properties:
    GroupDescription: Security group for RDS instance
    VpcId: !Ref VPC

RDSSecurityGroupIngress:
  Type: AWS::EC2::SecurityGroupIngress
  Properties:
    GroupId: !Ref RDSSecurityGroup
    IpProtocol: tcp
    FromPort: 3306
    ToPort: 3306
    SourceSecurityGroupId: !Ref AutoscalingSecurityGroup  

AutoscalingSecurityGroupEgress:
  Type: AWS::EC2::SecurityGroupEgress
  Properties:
    GroupId: !Ref AutoscalingSecurityGroup
    IpProtocol: tcp
    FromPort: 3306
    ToPort: 3306
    DestinationSecurityGroupId: !Ref RDSSecurityGroup

Alternatively, it can be further simplified as following.

AutoscalingSecurityGroup:
  Type: 'AWS::EC2::SecurityGroup'
  Properties:
    GroupDescription: Security group for autoscaling
    VpcId: !Ref VPC
    SecurityGroupEgress:
      - IpProtocol: tcp
        FromPort: 3306
        ToPort: 3306
        SourceSecurityGroupId: !Ref RDSSecurityGroup

RDSSecurityGroup:
   Type: 'AWS::EC2::SecurityGroup'
   Properties:
     GroupDescription: Security group for RDS instance
     VpcId: !Ref VPC

RDSSecurityGroupIngress:
  Type: AWS::EC2::SecurityGroupIngress
  Properties:
    GroupId: !Ref RDSSecurityGroup
    IpProtocol: tcp
    FromPort: 3306
    ToPort: 3306
    SourceSecurityGroupId: !Ref AutoscalingSecurityGroup
skzi
  • 340
  • 3
  • 14