EC2: Allowing multiple IPs for a security group rule

8
votes

In EC2-classic, I've been trying to use a security group as the source for another security group, to allow access from multiple IPs (work and home). The way I've been trying is to make a security group named 'my_ips' with one rule for each of my ip numbers (as CIDR), open for all TCP ports. Then I configure a security group say 'my_sg', each rule of which has a single port open (say 22), and its source being security group 'my_ips'. Then I allocate 'my_sg' to my EC2 instance.

What I'm trying to avoid is having to configure multiple rules in 'my_sg' for each port, each rule having the same port but different IP. I'm trying to have 'my_ips' rules filter by IP, then 'my_sg' rules filter by port number.

No luck. Clearly I am doing it wrong. Is there a way to achieve what I want?

1
amazon-web-servicesamazon-ec2

1 Answers

15
votes

You're mistaken about how security groups work. When you choose to allow an SG as the source in a rule for another SG, you're saying that any EC2 instance that is a member of that SG is permitted on the port you specify. It is not related to the rules of the source SG.

I understand that you're trying to specify all the addresses that should be allowed for port 22 within a single rule, but unfortunately that's no possible with security groups currently. You need to express each IP address and port as its own rule.