Security group for private subnet and public subnet (both EC2)

0
votes

I have two subnets, public and private. Web server on EC2 is in public subnet and MySQL database on EC2 server in private subnet. We decided not to go with RDS.

For RDS, the inbound rule for private subnet is "MySQL/Aurora". What should it be if MySQL is on an EC2 instance in a private subnet?

I'm trying to make it secure as possible.

2
mysqlamazon-web-servicesamazon-ec2amazon-vpcsubnet

2 Answers

1
votes

It is exactly the same thing. "MySQL/Aurora" is only the label for the port 3306.

You can then use the same security group for an RDS or a self managed MySQL server on an EC2.

1
votes

You should use two security groups:

  • Application-SG: Permit inbound access to your app (eg port 80 443). Associate the security group with the app server(s).
  • Database-SG: Permit inbound access for MySQL on port 3306 with the source set to Application-SG. Associate the security group with the instance running the database.

That is, the Database-SG allows inbound 3306 traffic from the Application-SG. This will permit inbound traffic from any app servers associated with Application-SG.

By the way, you should really consider using RDS, even if only for making backups easier.