Allow traffic from any instance in AWS VPC

amazon ec2amazon-web-services

'm trying to create a security group that allows all inbound traffic originating from within my VPC. I thought I could simply specify my CIDR block, but that doesn't seem to work and requests fail unless I create a rule which allows inbound traffic from anywhere.

What's the right way to allow inbound traffic from any EC2 instance within the same VPC?

Best Answer

Add the CIDR block of your VPC to your ingress rules of your security group.

You will also need to ensure that egress rules are configured for your other security groups to allow outbound traffic from your instances. Again, you can limit it to the same CIDR block.

For example, if your VPC CIDR block was 10.0.0.0/16, then:

On your target security group, add an ingress rule on the desired port for 10.0.0.0/16.
On all possible source security groups, add an egress rule on the desired port for 10.0.0.0/16.

However, to be more secure, I would recommend permitting traffic based on security group rather than CIDR block. For example:

On your target security group, add an ingress rule on the desired port for the source security group.
On your source security group, add an egress rule on the desire port for the target security group.

Related Solutions

Can’t Connect to EC2 Instance in VPC – Troubleshooting Guide

To communicate outside of the VPC, each non-default subnet needs a routing table and an internet gateway associated to it (the default subnets get an external gateway and a routing table by default).

Depending on the way you have created public subnet in the VPC, you might need to explicitly add them additionally. Your VPC setup sounds like it matches Scenario 1 - a private cloud (VPC) with a single public subnet, and an Internet gateway to enable communication over the Internet from the AWS VPC documentation.

You will need to add an internet gateway to your VPC and inside the Public subnet's routing table assign 0.0.0.0/0 (default route) to go to the assigned internet gateway. There is a nice illustration of the exact network topology inside the documentation.

Also, for more information, you can check the VPC Internet Gateway AWS documentation. Unfortunately it's a little messy and a non-obvious gotcha.

For more details about connection issues, see also: Troubleshooting Connecting to Your Instance.

AWS CloudFormation: VPC default security group

Referencing the default security group is possible using:

{ "Fn::GetAtt" : ["VPC", "DefaultSecurityGroup"] }

Where "VPC" is your VPC resource name.

With AWS::EC2::SecurityGroupIngress and AWS::EC2::SecurityGroupEgress, you can augment the permissions of this default security group.

I think this is what you want:

"VPCDefaultSecurityGroupIngress": {
  "Type" : "AWS::EC2::SecurityGroupIngress",
  "Properties" : {
    "GroupId": { "Fn::GetAtt" : ["VPC", "DefaultSecurityGroup"] },
    "IpProtocol":"tcp",
    "FromPort":"22",
    "ToPort":"22",
    "CidrIp":"0.0.0.0/0"
  }
},

As mentioned by @artbristol and @gabriel, this allows Ingress/Egress rules to be added to the default security group for the VPC in a single stack deployment.

I'm pretty sure that the self-referential problem still impacts any attempts at changing any of the other properties on the default security group of the VPC. A good example of this would be adding Tags, or a Description. If you wish to change these things, you'll have to deal with extraneous security groups laying around.

Best Answer

Related Solutions

Can’t Connect to EC2 Instance in VPC – Troubleshooting Guide

AWS CloudFormation: VPC default security group

Related Topic