I'm using Terraform to configure an ALB on AWS with a target group consisting of EC2 instances. I try to create the following security groups using Terraform:
1) sg-alb (SG associated to the ALB):
----------------------------------
Inbound:
HTTP with source 0.0.0.0/0
HTTPS with source 0.0.0.0/0
Outbound:
All traffic with destination 0.0.0.0/0
2) sg-http-alb (SG associated to the EC2 instances and should only receive traffic from the ALB):
----------------------------------------------------------------------------------------------
Inbound:
HTTP with source sg-alb
HTTPS with source sg-alb
Outbound:
All traffic with destination 0.0.0.0/0
I read here that it's a best practice to limit the outbound traffic to the instance security group destination on the listener port.
So I changed the configuration as follows:
1) sg-alb (SG associated to the ALB):
----------------------------------
Inbound:
HTTP with source 0.0.0.0/0
HTTPS with source 0.0.0.0/0
Outbound:
HTTP with destination sg-http-alb (<---- this line changed)
2) sg-http-alb (SG associated to the EC2 instances and should only receive traffic from the ALB):
----------------------------------------------------------------------------------------------
Inbound:
HTTP with source sg-alb
HTTPS with source sg-alb
Outbound:
All traffic with destination 0.0.0.0/0
When I configure this in Terraform I get Error: Cycle: which seem to indicates there is loop. Indeed I'm specifying from security group sg-alb to the instances sg-http-alb and from security group sg-http-alb I'm using security group sg-alb as a source. Both EC2 and ALB are in the same public subnet (there's reasons for that).
However using the console this is allowed. Also when I specify the internal IP address (using /32) of my EC2 instances as the outbound destination, it works but not sure if this is a proper way.
