- Mais recentes
- Mais votos
- Mais comentários
As the Ec2 instances belong to same subnet, they can communicated internally using private IPs. If you are using the same Security Group for both the EC2 instances, you dont need to do anything. For the ALB security group all communication from Ec2 security group and same for the Ec2 security allow communication from ALB security group.
Since the two EC2 instances are on the same subnet and on same VPC, they can communicate using their Private IPs without routing via the Internet. If you are using the same Security Group for both the EC2 instances, you will need to add an Inbound rule in the security group that references the same security group as Source for the required port (by default there is a rule for All/All Outbound, if not, a corresponding Outbound rule is required.). If you are using two different Security Groups for the two EC2 instances, you need to add appropriate Inbound/Outbound rules that reference each other for the desired port.
@dspaws Thanks for your answer. I was trying this out earlier and sort of did the same as suggested. However, when I added an application load balancer (ALB) to one of the app, it got a bit more complex. The private IPs would work for standalone servers. However, for an ALB, the internal IP of the network interfaces could change because as the load balancer scales more instances up and down, it's not guaranteed to get the same IPs
You can use the ALB's FQDN url to communicate and even though it resolves to the Public IP, the traffic will remain on AWS's private network as both the source and destination instance/service are hosted on AWS:
See the answer to the question below in this FAQ: https://aws.amazon.com/vpc/faqs/
Q. Does traffic go over the internet when two instances communicate using public IP addresses, or when instances communicate with a public AWS service endpoint?
Conteúdo relevante
- AWS OFICIALAtualizada há 2 anos
- AWS OFICIALAtualizada há um ano
@rishisra for the ALB, I should not reference the private IPs because they are likely to change. Isn't it? So, how do I reference the ALB from the other app so that EC2 <-> ALB communication is internal? If I use the DNS name of the ALB, then that routes via the internet.
@prasvin Sorry was not clear, no point in accessing the ALB through private IPs. Is it possible to use an internal ALB for private communication?
@ rishisra I used an internal ALB for private communication. Thanks for the help.