6

I have two kinds of instances: servers and workers.

I have two security groups - server_security_group and worker_security_group

Servers belong to the server_security_group, workers to worker_security_group

In server_security_group I have set an inbound rule to allow TCP on port 8000 to worker_security_group. (This appears to be understood by the security group as the name of the sg comes up in the inbound rule.)

However, workers are unable to access port 8000 on servers.

If I add an inbound rule to server_security_group to allow TCP on 8000 to specifically the IP address of one worker, then the worker has access.

Is there anything obvious I'm doing wrong? Thanks.

Omroth
  • 217

2 Answers2

9

If you want to refer the worker_security_group from server_security_group you must make sure that the workers use Private IP addresses of the servers when they talk to them.

Public and Elastic IPs (e.g. 52.x.x.x or 13.x.x.x or 3.x.x.x or similar) do not carry the Security Group info with them, only the Private IPs ones do.

For example:

  • Server has Private IP 172.16.1.2 and Public IP 52.12.34.56
  • Worker has Private IP 172.16.2.3 and Public IP 13.14.15.16

With your Security Group setup where you reference the Worker SG from Server SG the Worker can connect to Server's 172.16.1.2 but not to 52.12.34.56.

Hope that makes sense :)

MLu
  • 25,409
0

Welcome to ServerFault!

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html

It has nothing to do with IP addresses specified in the group specified as source or destination of the rule, it affects instances:

When you specify a security group as the source or destination for a rule, the rule affects all instances associated with the security group. Incoming traffic is allowed based on the private IP addresses of the instances that are associated with the source security group (and not the public IP or Elastic IP addresses). For more information about IP addresses, see Amazon EC2 Instance IP Addressing. If your security group rule references a security group in a peer VPC, and the referenced security group or VPC peering connection is deleted, the rule is marked as stale. For more information, see Working with Stale Security Group Rules in the Amazon VPC Peering Guide.

GioMac
  • 4,634
  • Thank you for the warm welcome GioMac! Are you saying that:
    1. The instances are not in the same VPC
    2. I've misunderstood which of the security groups I should be adding the incoming rule to
    3. Something else I'm missing
     – Omroth Jun 06 '19 at 18:37
  • I think you've missed his point. The server security group can allow access from the worker security group, or vice versa. Go into your server security group, edit the incoming rules, in the source field type "sg" and use autocomplete to choose the one you need. Your servers and workers should be in the same VPC and ideally the same AZ to reduce bandwidth charges, but if you need resilience you can distribute the servers across multiple AZs, though this incurs bandwidth charges. – Tim Jun 06 '19 at 20:36