stackoom
  简体   繁体   中英

Why does AWS Security group not allow inbound http traffic by sg-ID

 原文  2020-01-20 13:14:34       amazon-web-services/ security/ amazon-ec2

Question

I have an EC2 instance running an HTTP server in one security group (lets call it SG1) and a number of other EC2 instances in a second security group (SG2) which need to make requests to the first.

If I allow HTTP (TCP port 80) inbound traffic for 0.0.0.0/0, there is no problem.

If I replace that rule by specifying that inbound traffic is allowed from SG2 I can't access the server from anywhere (including the EC2 instances in SG2).

My ACL is permissive enough in either case (allowing all traffic) and regardless it doesn't change.

I should be able to allow inbound traffic by sgID as indicated by the following message that is displayed in the console when configuring SG1:

Determines the traffic that can reach your instance. Specify a single IP address, or an IP address range in CIDR notation (for example, 203.0.113.5/32). If connecting from behind a firewall, you'll need the IP address range used by the client computers. You can specify the name or ID of another security group in the same region. To specify a security group in another AWS account (EC2-Classic only), prefix it with the account ID and a forward slash, for example: 111122223333/OtherSecurityGroup.

2 answers

solution1
 1 ACCPTED  2020-01-20 14:48:17

The instances in SG2 need to access the instance in SG1 by using that instance's private IP address. That way the traffic stays inside the VPC and will remain associated with the instances in SG2, thus passing the Security Group rule. When you address the instance in SG1 using its public IP address the traffic leaves the VPC and goes out to the Internet and back, at which point the association with the security group SG2 is lost.

solution2
 0  2022-03-15 04:50:20

If you configure routes to forward the traffic between two instances in different su.nets through a middlebox appliance, you must ensure that the security groups for both instances allow traffic to flow between the instances. The security group for each instance must reference the private IP address of the other instance, or the CIDR range of the su.net that contains the other instance, as the source. If you reference the security group of the other instance as the source, this does not allow traffic to flow between the instances.

https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Security Group Id: sg-12345 not found What do I need to allow for my Security group to receive inbound traffic from SQS in lambda? Why is my AWS NACL only allowing HTTP access with 'All Traffic' or 'All TCP' inbound rules? Why is it that an NLB in AWS does not require a Security Group? AWS Security Group: What is needed in inbound and outbound rules? AWS Site-to-Site VPN Configuration doesn't allow inbound traffic Add a Security Group to the Inbound Rule of another Security Group as a Source with Terraform (AWS) Does the Domain-list rule groups in AWS Network Firewall applies for inbound traffic? What IP addresses do I allow in an EC2 Security group to allow Client VPN traffic through? Restrict AWS EC2 outbound traffic with a security group
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM