Nested Amazon VPC security groups

Question

I'm a bit confused on how security group nesting is meant to work in AWS

say I have the following two security groups:

• sg-teamA - IPs of team A members - all tcp
• sg-teamB - IPs of team B members - all tcp

I then create a sg-RDP group and assign it to an EC2 instance

I add sg-teamA and teamB to the sg-RDP group for RDP (port 3389)

This doesn't work. Why?

I need to add the specific team A and team B member IPs to sg-RDP for them to be allowed to RDP to the VM.

What's the purpose of allowing nested groups/what scenarios is it meant for since it doesn't work for the above?

Answer 1

There is no such thing as "Nested security groups".

In your question, you say "sg-teamA - IPs of team A members - all tcp". It appears you are using Security Groups as a way of listing IP addresses that you want to use as a source for Security Group B. However, this is not how security groups work.

The Inbound rules on a security group act like a firewall, determining what traffic to come into an EC2 instance. Rules define an IP address and a Port that are permitted access.

For example:

• Permit access from 54.22.33.44 on port 3389

Also, instead of specifying an IP address, Security Groups can refer to other security groups.

For example:

• Security Group A is associated with EC2 instance A
• Security Group B has an Inbound rule referring to Security Group A on port 3389
• Result: Security Group B will permit inbound access from any EC2 instance that is associated with Security Group A (To clarify: Any instance that has Security Group A as one of its listed security groups will be allowed to access resources protected by Security Group B, on port 3389)

If you have a list of external IP addresses (not related to EC2 instances) and you wish to permit them to access resources protected by Security Group B, then you will need to list them in Security Group B itself.

In your case, this means you should add the external IP addresses to your Security Group sg-RDP.