Understanding the Source property on AWS Security Groups

Question

I'm having trouble understanding the source attribute on AWS security groups. My understanding is that e. g. this security group:

Would allow traffic on Port 5432 from all EC2 instances that have the attached security group sg-0a5.... I'm not sure how this is determined though. Is there an IP table with all security groups and their instances that this is checked against?

I'm also very confused because I'm currently following a guide that suggests creating a security group and attaching the source attribute to its own environment. To my understanding, this would mean that the environment allows traffic to itself, which is quite paradoxical to me. I'd love some clarification.

Answer 1

When traffic traverses internally inside the VPC the evaluation is actually performed on whether the private IP address is part of an ENI which has that security group attached.

To be clear as it is evaluated based on the ENI, this rule will only work traffic travels internally inside the VPC/region (private IP to private IP). If it leaves the AWS network or region then the evaluation cannot be performed and thus the rule will fail.

When you specify a security group as the source for a rule, traffic is allowed from the network interfaces that are associated with the source security group for the specified protocol and port. Incoming traffic is allowed based on the private IP addresses of the network interfaces that are associated with the source security group (and not the public IP or Elastic IP addresses).

In your example you mention referencing a security group as a source within itself, however based on the description above it is more seen as metadata when evaluated to confirm the host instance has met this requirement.

In fact the default security group starts by allowing an inbound rule where the source is itself.