允许使用 AWS CDK 从一个安全组进入另一个安全组

Question

How can I connect two security groups together using the AWS CDK?

This is an example of allow IPv4 traffic ingress via port 443

ec2SecurityGroup.addIngressRule(Peer.anyIpv4(), Port.tcp(443), 'Test rule', false)

This from the documentation:

public addIngressRule(peer: IPeer, connection: Port, description?: string, remoteRule?: boolean): void

This is the best I could come up with (where 'elbSecurityGroup' is another security group):

const p = Peer.anyIpv4()
p.connections.allowFrom(elbSecurityGroup.connections, Port.tcp(443))
ec2SecurityGroup.addIngressRule(p, Port.tcp(443), 'Test rule', false)

But that doesn't really make any sense. There must be a better way of Initializing the Peer. Typescript says

Constructor of class 'Peer' is protected and only accessible within the class declaration.

If I try:

const p = new Peer()

Answer 1

This can be done by accessing the 'connections' on SecurityGroups or other Constructs directly

ec2SecurityGroup.connections.allowFrom(elbSecurityGroup, Port.tcp(443), 'Application Load Balancer')

Or from an EC2 Instance object directly to another EC2 instance:

ec2Instance1.connections.allowFrom(ec2Instance2, Port.tcp(4321), 'Inbound')
ec2Instance2.connections.allowTo(ec2Instance1, Port.tcp(4321), 'Outbound')

This will create/alter a SecurityGroup created by CDK that is attached to the EC2 instance.