EC2 security groups cannot communicate with each other

Question

I have two AWS EC2 instances that are trying to talk to each other over a custom TCP port. Each instance has its own security group, but neither can talk to each other.

Here's my setup:

EC2 Instance 1

• Name: instance-1
• Public IP address: aaa.bbb.ccc.ddd
• Security group ID: sg-xxxxxxxxxx1
• SG inbound rules: none
• SG outbound rules:
  • Type: All traffic, Protocol: All, Port Range: All, Destination: 0.0.0.0/0

EC2 Instance 2

• Name: instance-2
• Public IP address: www.xxx.yyy.zzz
• Security group ID: sg-xxxxxxxxxx2
• SG inbound rules:
  • Type: Custom TCP Rule, Protocol: TCP, Port Range: 12345, Source: sg-xxxxxxxxxx1

SG outbound rules:

• Type: All traffic, Protocol: All, Port Range: All, Destination: 0.0.0.0/0

The problem

Whenever instance-1 tries to initiate a TCP request to www.xxx.yyy.zzz:12345, the connection times out.

If I add the following inbound rule to instance-2's SG, it works just fine:

• Type: All traffic, Protocol: All, Port Range: 12345, Source: 0.0.0.0/0

Summary

I need instance-1 to talk to instance-2 without allowing traffic from anywhere to access port 12345. Is there a way to do this?

Answer 1

You cannot access a public IP using a security group as the incoming source.

When you specify a security group as the source or destination for a rule, the rule affects all instances associated with the security group. Incoming traffic is allowed based on the private IP addresses of the instances that are associated with the source security group (and not the public IP or Elastic IP addresses). For more information about IP addresses, see Amazon EC2 Instance IP Addressing.

Use the private IP address or use the public IP as the source.

References

Security Group Connection Tracking