Amazon Security Group - Cannot Connect from within Other Security Group

Question

My security group inbound rules are as follows:

WebAccess

HTTP TCP 80 0.0.0.0/0

SSH TCP 22 0.0.0.0/0

and

DB

MYSQL/Aurora TCP 3306 sg-0252186b (WebAccess)

My instances are setup like this:

Instance 1, web server - security group WebAccess

Instance 2, web server - security group WebAccess

Instance 3, DB server - security group DB

If my understanding is correct, anyone should be able to access HTTP and SSH on my web servers, and only a member instance of WebAccess group should be able to access the DB server. However, the DB server is not accessible from the web servers.

When I change the 3306 rule to be open to allow inbound from anyone, I can access it fine (also from my local computer, as expected).

Please could somebody help me understand where I'm going wrong?

Thanks, Chris

Answer 1

When you change the security-group to 0.0.0.0/0 and you are able to access the DB later on from your desktop that means your instance has been enabled for public access (i.e. having a public IP). When you connect to such a instance traffic leaves the subnet to the internet and comes back in. Because of that, the traffic no longer originates on your web instance but from the internet. You would need to use the web instances public IPs in that case.

Also please note, the way you have worded your question/comments, suggest you use the IP of the RDS instead of the hostname. This works if you use a single AZ RDS deployment. It won't work if you use multi-AZ or convert this RDS instance to multi-AZ (HA setup). The reason is, that during a failover AWS updates the DNS name to point to the new master. If your application is using an IP no fail over will occur.

Even worse: if you use an IP and single-AZ now but later decide to upgrade to a multi-AZ your application will continue to work until the first failover (most likely due to maintenance)