By using AWS re:Post, you agree to the Terms of Use

Can't connect to EC2 with chained security groups

0

Hello, I can't connect (ssh connection timeout) when chaining sec groups.

To reproduce:

  1. create vpc with public network. create a linux vm. start the instance
  2. create a sg ( SG 1 ) enable ingress from 0.0.0.0 on port 22
  3. create an ingress ICMP rule for source 0.0.0.0
  4. test the connectivity to the instance by ssh <pub ip> : the connection will be rejected due to not providing the pem.( this tests serves as an indication of the vm reachability only)
  5. test that "ping" works.
  6. create a new SG ( SG2)
  7. find your public IP and add an ingress rule in the (SG2) as ssh from source <my public IP >
  8. in SG1 remove the ingress from 0.0.0.0 and add rule for all traffic from SG2
  9. test and observe that "ping" is working as before, ssh is not working - timeout to the host.
  10. SG2: add egress all traffic to SG1; SG1: add egress all traffic to SG2 and all traffic to 0.0.0.0

Expectation: is to have have connection to the VM.

Question : what am i missing ?

Thank you P.S. The question was updated to clarify ingress an egress rules.

  • This is still a bit confusing. Is SG2 created in step 6 applied to the EC instance created in step 1?. In Step 8 are you removing the port 22 rule, the ICMP rule, or both?

asked 8 months ago150 views
2 Answers
1

Hello Esource,

As security groups are stateful, as such you only need to allow traffic on port 22 in the ingress rules (Not the egress rules as you have mentioned above.) Could you please try making a rule allowing traffic inbound from your IP address specifically on port 22 again?

Because security groups are stateful the return traffic from the EC2 instance will automatically be allowed to be sent back to the source. In this case, the source being your laptop/ desktop where your SSH client is.

The documentation explaining this can be found here: Control traffic to EC2 instances with security groups - Security group basics - https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#VPCSecurityGroups

SUPPORT ENGINEER
answered 8 months ago
  • Thank you Jasper. I updated the original question to clarify egress and ingress rules. I added egress to SG2 troubleshooting the situation.

  • Just want to clarify - the issue is not resolved at this time.

1

Two things to look at:

First, you say that the connection is rejected because the PEM isn't provided - that's pretty fatal; I'm not sure if that is related to your problem at all but definitely something to fix.

Second (and more important): You talk to creating egress rules for SSH. To reach your instance you need ingress rules.

profile picture
EXPERT
answered 8 months ago
  • this is what i get for rushing with the post. My mistake.

    1. PEM - the comment is to indicate that there is a connectivity to the vm.
    2. Egress: ingress and egress rules were added. SG2: Ingress for 22 from my IP and egress to SG1. in SG1 : ingress on 22 from SG2 and egress to 0.0.0.0 and SG2.

    I'll update the original question to eliminate confusion.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions