Why can't I access when I refer to a security group in a security group?

Question

Explaining the previous environment would be too complicated, so I'll change the environment I'm curious about to make it simpler.

vpc A (10.0.0.0/16) created subnet A (10.0.10.0/24).
Then, the private IPs of ec2 A and ec2 B are assigned to subnet A. And the routing table puts "destination local/destination 10.0.0.0/16" and "destination internet gateway 0.0.0.0/0" in subnet A.
A web application using port 80 is running on ec2 B.

The security group was set up in vpc A as follows.
  In security group A, the inbound port is any, and the IP is 10.0.10.0/24, which is subnet A. (Outbound is port any, IP range is set to any.)
Using this, security group B has set up and created port 80 by referring to security group A. (Outbound is set to port any and IP range is set to any.)
For the test, security group C was set to port 80 and ip to ec2 B's IP.
To connect to EC2 A, security group D was set to inbound port 22 and ip 0.0.0.0/0, and then connected to ec2.

Assigned eip to ec2 A.
After connecting security group B to ec2 B,
When I connected to ec2 A via ssh and checked with curl "ec2 private ip":80, I got a 504 error.
However, after connecting security group C to B,
When I connected to EC2 A via ssh and checked with curl "ec2 private ip":80, the connection was 200 normally.

What is the reason why security group reference should not be ip band? If you look at "https://docs.aws.amazon.com/vpc/latest/userguide/security-group-rules.html#security-group-referencing", it is said that the private ip and the network to which you belong are referred to the security group.

If so, does the security group reference mean that only a security group with one ip can be referenced?

Answer

When you say you  checked with curl "ec2 private ip":80, do you mean EC2 B's private IP, and you're running this on EC2 A?

The behaviour you're seeing matches the description of steps you took, as you don't say anywhere you connected SG A to EC2 A.  If you did, then a SG B rule allowing ingress from SG A should allow EC2 A to connect to EC2 B.

Answer

Edited per modified question:
Please review the documentation on security group referencing here:https://docs.aws.amazon.com/vpc/latest/userguide/security-group-rules.html#security-group-referencing

Objective: SSH to EC2 A using Elastic/Public IP, and run curl command to EC2 B on port 80 from EC2 A.

SGA - Security Group A must be associated to EC2 A > Inbound Rule: Source  Port 22

SGB - Security Group B must be associated to EC2 B > Inbound Rule: Source *SGA* Port 80

Keep outbound rules for both SGs default

In this scenario, we are referencing SGA as source to reach to EC2 B

Answer

Hi, please clarify so people can help as suggested by @Hrushi G.  For example:

Which subnets are your load balancer in?  Is it an internal or public load balancer?

When you say "the load balancer also referenced security group A" do you mean the load balancer's seccurity group (let's call it B) referenced security group A?.

Are the security group rules you've mentioned all Ingress, not Egress rules?

How do your load balancer and Fargate connect, it's not clear from your description whether your container is acting as a client of the load balancer which is in front of some other workload, or whether the load balancer is in front of Fargate.

How are you testing it?  Do you have a client attempting to connect to the load balancer?  Where is this client, and what protocol is used?

What error message do you get?

Why can't I access when I refer to a security group in a security group?

관련 콘텐츠