AWS: Security Group Auto Scale

Question

I want to launch a single ec2 instance. The challenge that I am facing is I need to configure security group for this instance and I want only the instances coming from an Auto scale group to be allowed to access this. How do I set the inbound in such a case, since the instances coming from an Auto Scale will vary?

Answer 1

Security groups can refer to each other.

For example, if you had a load Balancer and an Auto Scaling group of Amazon EC2 instances, you would need to create two security groups:

• A Load Balancer security group (let's call it LB-SG)
• A Web Server security group (Web-SG) that is referenced by the Auto Scaling launch configuration

Configure your Web-SG to permit incoming traffic from the LB-SG. This can be referenced by name or by sg-xxxx identifier.

Permitting traffic from another security group is a way of saying "permit traffic from any instance that is associated with that security group". This includes the security group assigned to instances from Auto Scaling.

If you have another instance that should accept incoming traffic from instances in the auto scaling group, create another security group (eg Backend-SG) and permit incoming traffic from Web-SG.

Here is a sample diagram from a Rackspace article on Network Segregation in AWS. Notice how each security group refers to the one 'above' it:

Answer 2

You can add the source ID of load balancer security group in the inbound rule for needed protocols (HTTP, HTTPs). Then delete all the other inbound rules.

Ref: AWS Documentation