I'm not great at network administration so I need some help to do something really basic on AWS.
Basically, I have a RDS database on a vpc, let's call it VPC1. The database is also associated with VPC security group "Default: sg1"
I have a API server that needs to access the Database running as a docker image (service) using ECS. This API server is associated with a load balancer on the same VPC ID VPC1. The task has external IP XXX.XXX.XXX.XXX and internal IP YYY.YYY.YYY.YYY
All I want to do is allow the ECS service to access the database, but disable all other external access.
I've tried the following:
- add the private IP to the inbound SG rule
- add the public IP to the inbound SG rule
- Add the security group of the network the task is part of to the SG rule
The protocol, for testing, is set to "all"
None of these seem to work. What am I missing here?
Best Answer
I typically do this with security group references rather than IPs. Make sure each resource (DB, ECS) is assigned a security group that isn't used for anything else - ie not the default SG. Default works but it's not good practice and it's more difficult to keep track of.
You need to put in matching security group rules to allow traffic out from ECS to the DB, and into the DB from ECS:
Since security groups are stateful you don't need to allow incoming into ECS or outgoing from DB.
If for some reason you need to do this with IPs make sure you use private IPs rather than public. In AWS public IPs are only translated in the internet gateway, they're not used within the VPC.