reference AWS Security Groups from other Security Groups

0
votes

I am trying to understand this statement: "You can reference AWS Security Groups from other Security Groups."

What exactly does this mean?

This is how I understood this. I created a security group and call it "SG-10" and attached it to an instance "EC2-10". The SG "SG-10" has allow port 443 defined inside it.

Now, I create a security group and call it "SG-20" and attached this to an instance "EC2-20". This also has port 443 allowed. Now, if I call "SG-10" inside "SG-20" does this mean that "EC2-10" will be able to connect to "EC2-20" on port 443.?

Regards, Nik.

2
amazon-web-services

2 Answers

1
votes

if I call "SG-10" inside "SG-20"

No, you can not call a security group, this does not make any sense.

If a security group A references security group B, it does mean that the instance to which the security group A is attached allows inbound or outbound traffic to another instance to which security group B is attached. But if you want to send traffic form instance with security group A to the instance with security group B, you have to use the IP or the DNS of the instance B.

Usually the reason why we would want to reference a security group instead of an IP, is that the IP might change over time or it is not exposed at all. A fairly common example is having an application load balancer (ALB) and a group of EC2 instances which allow traffic only from the ALB. The IP address of the ALB changes over time, so in order to be able to receive traffic from the ALB, we can reference the security group attached to it.

In we want to reference a security group from another security group, we have to edit the rules of the initial security group:

enter image description here

0
votes

As an example of referencing security groups, imagine a 3-tier architecture:

  • A Load Balancer receiving traffic from the Internet and sending requests to an Amazon EC2 instance
  • An Amazon EC2 instance receiving requests from the Load Balancer and sending queries to an Amazon RDS database
  • An Amazon RDS database receiving requests from the EC2 instance

This would involve 3 security groups:

  • A security group on the Load Balancer (LB-SG) that allows incoming traffic on port 80/443.
  • A security group on the EC2 instance (App-SG) that allows incoming traffic on port 80 only from the load balancer. It does this by setting the source to LB-SG.
  • A security group on the RDS database (DB-SG) that allows incoming traffic on the relevant port (eg 3306) only from the EC2 instance. It does this by setting the source to App-SG.
  • All security groups allow All Outbound Traffic.

By referencing other security groups, resources can be added/removed without having to change the security groups. For example, another EC2 instance could be launched and assigned the App-SG security group. This new instance would then be able to communicate with the database since DB-SG allows incoming traffic from App-SG, without being tied to any specific IP addresses.

If a resource is associated with multiple security groups, then all rules apply to the resource. Security Groups only say what is 'Allowed'. They do not include 'Deny' rules.

In your SG-10/SG-20 example, you do not mention the source of the traffic, so it is not possible to answer your question. If you want EC2-20 to accept connections from EC2-10, then the SG-20 security group should allow connections with the Source set to SG-10.

As an aside, I should mention that Network ACLs should normally be left at their default "Allow All" settings unless there is a specific networking requirement (eg creating a DMZ).