I have to EC2 instances. They're both in the same VPC, and they both have public IPs assigned to them.
My problem is that I'm required to use the public IPs in my Security Groups to allow them to communicate. If I try to use the private IPs, their connections are being denied.
I will eventually remove their public IPs, and would like to not have to change my security group settings afterwards.
Why wouldn't I be able to use private IPs as the source for two machines both in the same VPC?
Best Answer
tl;dr: when you connect to an instance using its public IP address, you are necessarily using your source machine's public address as the source address, too (or that of its NAT Gateway, if the source instance has no publig IP), and your traffic is going out to the Internet and back in when you do this (although you are admittedly not going very far out toward the Internet).
Let's take two example instances:
If instance #1 connects to #2 using instance #2's public IP 203.0.113.2:
If instance #1 uses 172.31.3.2 to connect to instance #2 then essentially none of this happens, so the security group for #2 will see 172.31.3.1 as the source address.
Using the private IP of the target instance is the way to go.
Note that when using private IPs you can also list instance #1's security group ID in instance #2's security group rules instead of listing instance #1's private IP address. It goes in the same place as the IP in the console -- type
sg
in that box and you should be able to select one. This is probably easier to maintain and works well if you put instance #1 in an auto-scaling "group of one" -- so that autoscaling replaces the machine if it fails.Note also that when two instances communicate using their public IPs, you're billed for going out and coming back in. It's not as much as Internet traffic costs, but the rate is similar to the rates for for intra-region inter-AZ and intra-region VPC peering traffic.