Reputation: 831
Configure AWS EC2 instance to only allow traffic from load balancer
I have a load balancer which sends traffic to my auto-scaling group. I have two EC2 instances: instance 7000 (which is listening on port 7000, is part of the auto-scaling group, and gets its traffic from the load balancer) and instance 8545 (which is listening on port 8545, and is not part of the auto-scaling group). I have a load balancer security group named "LB-SG" and a security group for instance 8545 named "App-SG".
I want instance 8545 to only allow traffic from instances that are part of the load balancer / auto-scaling group.
I included LB-SG as an inbound rule for App-SG on port 8545, but it is not working. However, if I simply include the IP address for instance 7000 on port 8545 as an inbound rule in LB-SG, it works perfectly. But that doesn't solve my issue: because if more instances get added by the auto-scaling group, or the IP address changes, then it won't work.
Upvotes: 20
Views: 34885
Answers (2)
Reputation: 270104
2nd attempt...
You should create three security groups:
- LB-SG for the Load Balancer
- Allow inbound 80/443
- App-SG for the instances in the Auto Scaling group
- Allow inbound 7000 from LB-SG
- Extra-SG for the 8545 instance (I didn't know what to call it!)
- Allow inbound 8545 from App-SG
Once again, there is no need to reference specific IP addresses.
Side-note: You said "allow traffic from Instances that are part of the Load Balancer / Auto-Scaling Group" -- instances are in the Auto Scaling group, but there are no instances in the Load Balancer. Therefore, I have assumed that the 8545 instance only receives traffic from the App-SG (7000) instances.
Update: Make sure the instances are communicating via Private IP addresses.
Upvotes: 8
Reputation: 270104
Your requirements are a little unclear, but here is the general use-case...
If you wish an instance to accept traffic from a Load Balancer, then:
- Create a Security Group for your Load Balancer ("LB-SG")
- Create a Security Group for your instances ("App-SG")
- In App-SG, permit inbound traffic on the desired port from LB-SG
That is, the App-SG rule specifically references LB-SG by its unique name (sg-abcd1234).
Result: Every instance associated with App-SG will permit inbound traffic that is coming from the Load Balancer.
Similarly, if you want a specific instance (Instance-A) to accept traffic from another instance (Instance-B), create a different security group for each instance and add a rule to the Instance-A security group to permit inbound traffic on a given port from the Instance-B security group.
There is no need to use IP addresses.
Upvotes: 43
Related Questions
- How to limit the access to EC2 from NLB only
- Aws Application Load Balancer not accessible unless All traffic is allowed
- AWS load balancer security group not allowing traffic even when all allowed
- How to restrict access to ALB so that it reads traffic only from a Ec2 machine in AWS?
- AWS load balancer Only Allow Traffic From aws instances
- How to restrict access to AWS Load Balancer so only another specific AWS Load Balancer can have Inbound access?
- Amazon AWS EC2 - How to restrict traffic to be received only from Elastic Load Balancer?
- How do allow inbound traffic only from ELB?
- How to close access to instance to all except load balancer?
- in AWS, how to configure web server security group to only accept traffic from the load balancer in AWS?