Reputation: 7867
I have an EC2 node, node1 (security group SG1) which should be accessible from another EC2 node, node2 (security group SG2) on port 9200. Now, when I add an inbound rule in SG1 with port 9200 and specify SG2 as source in Custom IP section, I can't access node1 from node2. On the other hand, if I specify an inbound rule in SG1 with source as 0.0.0.0/0 or IP of node2, it works fine. What is wrong in my approach?
Upvotes: 29
Views: 8569
Reputation: 26031
Are you attempting to connect to node1's public or private address? From the documentation (upd. 2024-08-26):
When you specify a security group as the source or destination for a rule, the rule affects all instances that are associated with the security group. Incoming traffic is allowed based on the private IP addresses of the instances that are associated with the source security group (and not the public IP or Elastic IP addresses).
I've been burned on this before by trying to connect to an EC2 instance's public address... sounds very similar to your setup, actually. When you wire up the inbound rule so that the source is a security group, you must communicate through the source instance's private address.
Some things to be aware of:
Upvotes: 46
Reputation: 912
The Public DNS didn't work for me. What I did instead was create a custom inbound rule using the security group of the other instance.
Upvotes: -1
Reputation: 33588
Reason: Inter security-group communication works over private addressing. If you use the public IP address the firewall rule will not recognise the source security group.
Solution: You should address your instances using the Public DNS record - this will actually be pointed at the private IP address when one of your instances queries the DNS name.
e.g. if your instance has public IP 203.0.113.185
and private IP 10.1.234.12
, you are given a public DNS name like ec2-203-0-113-185.eu-west-1.compute.amazonaws.com
.
ec2-203-0-113-185.eu-west-1.compute.amazonaws.com
will resolve to 203.0.113.185
if queried externally, or 10.1.234.12
if queried internally. This will enable your security groups to work as intended.
This will enable you to use an elastic IP as you simply use the Public DNS entry of the elastic IP. Also, having the DNS resolve to the internal IP means that you are not incurring bandwidth charges for your data between instances:
Instances that access other instances through their public NAT IP address are charged for regional or Internet data transfer, depending on whether the instances are in the same region.
Upvotes: 25