Why does my security group rule not work when calling from the private to public subnet?

0
votes

I have a server in a private subnet in SG1, and I want to make a call to a load balancer in a public subnet in SG2.

I have my outbound rule set up on SG1 which allows traffic to SG2.

However, when I add a rule to allow Inbound traffic from SG2 that allows SG1 inbound, the request times out. If I add an open rule to SG2 the request work! I've also tried with the private IP address range, but that did not work.

How do I add a correct rule to the load balancer so that traffic is allowed from SG1, and I do not expose the security group to be publicly open?

1
amazon-web-servicesaws-security-group
How do you call the LB from private subnet? Using its public dns name? It will not work if your private has no internet access. - Marcin

1 Answers

1
votes

I suspect that the issue is caused by the fact that you are connecting to an Internet-facing load balancer.

The load balancer is being referenced via a DNS Name. This name is resolving to a public IP address because the load balancer is accessible to the Internet.

When the instance in the private subnet accesses the load balancer, it is actually resolving the ELB DNS Name to a public IP address, so the request is actually leaving the VPC, then coming back in. This means that the "from" IP address is coming from the private instance's public IP address, not its private IP address. The security group is only expecting the private instance's private IP address, so it is not recognizing the incoming traffic.

If the Load Balancer is only being used in this manner, then it should be created as an internal Load Balancer, rather than being public. It is also possible to create two load balancers (one Internet-facing, one internal-only).