Problem: When removing outbound rule ALLOW-ALL 0.0.0.0/0 from security group, all INBOUND traffic stops

0

I'm trying to restrict an EC2 instance's outbound connectivity to just a few other systems, plus any infrastructure services as needed.

For testing, the destination instance's inbound rule allows all traffic from the same subnet. When the outbound rule still has 0.0.0.0/0, I'm able to ping and RDP to it from the same subnet. When I remove 0.0.0.0/0 from the destination instance's outbound SG, I stop being able to ping/RDP to it. Even when I open full outbound traffic back to source instance, it doesn't help. (I know, SG rules are stateful.)

Why would removing the ALLOW ALL 0.0.0.0/0 OUTBOUND rule drop my INBOUND traffic?

I spent a few hours on this with AWS Support, no luck yet. Expecting a call with an escalation engineer first thing tomorrow.

acdci
asked a month ago161 views
1 Answer
1

You're describing the security group attached to the destination instance, but what's configured in the security group of the source instance? Would you be comfortable sharing screenshots of a) the security groups attached to the ENI of the source instance, b) the SGs attached to the ENI of the destination instance, c) the outbound rules in the security group(s) of the source instance, and d) the inbound rules of the SG(s) of the destination instance?

The symptoms you're describing would match if both the instances were using the same SG, i.e., "a" and "b" would be the same.

You can also use the VPC Reachability Analyzer in the console to see a visualisation of the path your traffic is taking and how all the specific parts of your configuration, such as security groups, interact to cause the connection to work or not to work end to end: https://docs.aws.amazon.com/vpc/latest/reachability/what-is-reachability-analyzer.html

EXPERT
Leo K
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions