Reputation: 624
Security group allowing traffic from itself
I have a Webserver in a VPC that will occasionally use curl to get or post a resource from itself, using one of the domains associated to that server. I have a restrictive security group assigned to this server, as I only want to allow traffic from specific IP ranges. Additionally, I added the security group itself as a source of inbound traffic, in order to deal with the curl calls.
Unfortunately this isn't working. The connections timeout. Using wget from command-line on the server's IP or one of the domains goes timeout too. The only way to fix it is to allow traffic from '0.0.0.0/0' on the security group, which I don't want to do.
As a workaround I've added '127.0.0.1' entries for every domain to the hosts file, but this isn't a long term solution for me.
Is any help to fixe?
Upvotes: 1
Views: 1143
Answers (1)
Reputation: 200682
The traffic is basically going out to the internet and back, which means it is leaving the VPC, so it is no longer identified as coming from within the Security Group. To allow traffic from a Security Group, that traffic has to be addressed to the Private IP address, not the public IP or domain name.
One way to do this is add hosts file entries like you have done. You could also create a private hosted zone in Route53 and assign it to the VPC, then override certain DNS records within your VPC to route to the private IP address.
Upvotes: 3
Related Questions
- Why does AWS Security group not allow inbound http traffic by sg-ID
- can't connect to mysql on AWS RDS (error 2003)
- EC2 Security Group inbound rule not working as expected
- Using shared security group between VPC and EC2
- AWS EC2 Security group access itself via HTTP
- Amazon Security Group - Cannot Connect from within Other Security Group
- Can't connect out from my EC2 instance unless allow all traffic inbound
- Allow traffic from any instance in VPC