ec2 security group does not allow ping outbound

0
votes

I know that security group are STATEFUL, meaning that if either inbound or outbound traffic is ruled, there will be an associate rule in the other bound to send the traffic.

Considering this, I have created a custom VPC and a public subnet. I have ssh-ed successfully to one of the public instances from my network. But, I cannot ping from one public machine to the other in the same subnet! even when I add this inbound rule that

All Traffic All ALL sg-xxx

the above rule should automatically consider an outbound to every instance in the same security group. But it doesn't

So, I have to add manually an outbound rule again with:

ALL TRAFFIC ALL ALL sg-xxx

why is this happening?

1
amazon-web-servicesamazon-ec2aws-security-group
Does the security group allow inbound ICMP traffic? ping can't get a response unless packets can go both ways.Karen B
Yes, the inbound rule accepts all traffic from the same security group. but, this have to be also written as the outbound rule to work. mentioning only as the inbound rule does not do the job!Sam

1 Answers

1
votes

It appears that your situation is:

  • Two instances (call them A and B) in the same subnet
  • A security group has been applied to both instances
  • The security group has been configured with an Inbound rule allowing all traffic
  • You are unable to ping from one instance to another

For Instance A to ping Instance B, the following is necessary:

  • An Outbound rule on the security group associated with Instance A, which permits ICMP traffic
  • An Inbound rule on the security group associated with Instance B, which permits ICMP traffic
  • The return traffic from Instance B to Instance A will be allowed to leave Instance B due to the stateful nature of the security group
  • The return traffic from Instance B to Instance A will be allowed to enter Instance A due to the stateful nature of the security group

Since you are using the same security group for both instances, you will need to permit both Inbound and Outbound access. Alternatively, you could use two different security groups:

  • One security group on Instance A permitting the Outbound traffic
  • One security group on Instance B permitting the Inbound traffic

The important concept to understand is that a security group defines inbound/outbound rules. Multiple instances that are associated with the same security group have the rules applied to each instance individually. Unlike network subnets, instances with the same security group are not "inside" the security group -- they merely have the same rules.