AWS Instance Only Allow Traffic From Load Balancer

8
votes

I have a Load Balancer and Auto-Scaling Group. The Load Balancer sends traffic to my Auto-Scaling Group. I have two instances: Instance 7000 (which is listening on port 7000 and is part of the auto-scaling group and gets its traffic from the load balancer) and Instance 8545 (which is listening on port 8545 and is simply a single instance that is not part of the Load Balancer or the Auto-Scaling Group).

I have a load balancer security group ("LB-SG") and a security group for Instance 8545 ("App-SG"). I want Instance 8545 to only allow traffic from Instances that are part of the Load Balancer / Auto-Scaling Group. So I included "LB-SG" as an inbound rule for "App-SG" on port 8545 but it is not working. However, if I simply include the IP address for Instance 7000 on port 8545 as an inbound rule in "LB-SG" it works perfectly. But that doesn't solve my issue because if more instances get added by the Auto-Scaling Group or IP address changes then it won't work.

Edit: reworded for clarity

2
amazon-web-servicesamazon-ec2load-balancingelastic-load-balanceraws-security-group

2 Answers

21
votes

Your requirements are a little unclear, but here is the general use-case...

If you wish an instance to accept traffic from a Load Balancer, then:

  • Create a Security Group for your Load Balancer ("LB-SG")
  • Create a Security Group for your instances ("App-SG")
  • In App-SG, permit inbound traffic on the desired port from LB-SG

That is, the App-SG rule specifically references LB-SG by its unique name (sg-abcd1234).

Result: Every instance associated with App-SG will permit inbound traffic that is coming from the Load Balancer.

Similarly, if you want a specific instance (Instance-A) to accept traffic from another instance (Instance-B), create a different security group for each instance and add a rule to the Instance-A security group to permit inbound traffic on a given port from the Instance-B security group.

There is no need to use IP addresses.

5
votes

2nd attempt...

You should create three security groups:

  • LB-SG for the Load Balancer
    • Allow inbound 80/443
  • App-SG for the instances in the Auto Scaling group
    • Allow inbound 7000 from LB-SG
  • Extra-SG for the 8545 instance (I didn't know what to call it!)
    • Allow inbound 8545 from App-SG

Once again, there is no need to reference specific IP addresses.

Side-note: You said "allow traffic from Instances that are part of the Load Balancer / Auto-Scaling Group" -- instances are in the Auto Scaling group, but there are no instances in the Load Balancer. Therefore, I have assumed that the 8545 instance only receives traffic from the App-SG (7000) instances.

Update: Make sure the instances are communicating via Private IP addresses.