Why can't I access when I refer to a security group in a security group?

0

Explaining the previous environment would be too complicated, so I'll change the environment I'm curious about to make it simpler.

vpc A (10.0.0.0/16) created subnet A (10.0.10.0/24). Then, the private IPs of ec2 A and ec2 B are assigned to subnet A. And the routing table puts "destination local/destination 10.0.0.0/16" and "destination internet gateway 0.0.0.0/0" in subnet A. A web application using port 80 is running on ec2 B.

The security group was set up in vpc A as follows. In security group A, the inbound port is any, and the IP is 10.0.10.0/24, which is subnet A. (Outbound is port any, IP range is set to any.) Using this, security group B has set up and created port 80 by referring to security group A. (Outbound is set to port any and IP range is set to any.) For the test, security group C was set to port 80 and ip to ec2 B's IP. To connect to EC2 A, security group D was set to inbound port 22 and ip 0.0.0.0/0, and then connected to ec2.

Assigned eip to ec2 A. After connecting security group B to ec2 B, When I connected to ec2 A via ssh and checked with curl "ec2 private ip":80, I got a 504 error. However, after connecting security group C to B, When I connected to EC2 A via ssh and checked with curl "ec2 private ip":80, the connection was 200 normally.

What is the reason why security group reference should not be ip band? If you look at "https://docs.aws.amazon.com/vpc/latest/userguide/security-group-rules.html#security-group-referencing", it is said that the private ip and the network to which you belong are referred to the security group.

If so, does the security group reference mean that only a security group with one ip can be referenced?

3 Answers
1

When you say you checked with curl "ec2 private ip":80, do you mean EC2 B's private IP, and you're running this on EC2 A?

The behaviour you're seeing matches the description of steps you took, as you don't say anywhere you connected SG A to EC2 A. If you did, then a SG B rule allowing ingress from SG A should allow EC2 A to connect to EC2 B.

EXPERT
answered a year ago
0

Hi, please clarify so people can help as suggested by @Hrushi G. For example:

Which subnets are your load balancer in? Is it an internal or public load balancer?

When you say "the load balancer also referenced security group A" do you mean the load balancer's seccurity group (let's call it B) referenced security group A?.

Are the security group rules you've mentioned all Ingress, not Egress rules?

How do your load balancer and Fargate connect, it's not clear from your description whether your container is acting as a client of the load balancer which is in front of some other workload, or whether the load balancer is in front of Fargate.

How are you testing it? Do you have a client attempting to connect to the load balancer? Where is this client, and what protocol is used?

What error message do you get?

EXPERT
answered a year ago
  • Thank you for description. I will explain more restrainedly.

  • Sorry for not being specific in your question. To make the question more detailed, I used a simple environment as an example. I would be grateful if you could answer this question.

0

Edited per modified question: Please review the documentation on security group referencing here:https://docs.aws.amazon.com/vpc/latest/userguide/security-group-rules.html#security-group-referencing

Objective: SSH to EC2 A using Elastic/Public IP, and run curl command to EC2 B on port 80 from EC2 A.

SGA - Security Group A must be associated to EC2 A > Inbound Rule: Source <My IP> Port 22

SGB - Security Group B must be associated to EC2 B > Inbound Rule: Source SGA Port 80

Keep outbound rules for both SGs default

In this scenario, we are referencing SGA as source to reach to EC2 B

profile pictureAWS
EXPERT
answered a year ago
  • Sorry for not being specific in your question. To make the question more detailed, I used a simple environment as an example. I would be grateful if you could answer this question.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions