We want to setup a security group that is more specific and manageable and the concept that we came up is via:
- sg-public-group: allows 80/443 globally
- sg-private-group: just a label for the meantime
- sg-db-group: allows 3306/tcp for sg-public-group and sg-private-group
- sg-access-group: allows 22/tcp for every subnet/private group that does not have an public ip address.
And an EC2 DB instance that applies the above SGs.
And an EC2 intances for the web application that is trying to connect to the DB.
Our AWS is using subnet as a basic security and our db is not accessible in the public and you need first to access in main instance before you can access the db server.
But upon testing it didn't work. Any idea on how can we make it work?
Best Answer
AWS security groups work as whitelists: each line is a permissive rule. Anything that is not allowed, is denied, yet what is allowed, is allowed, you can't override that in any other rule.
Roughly, security groups can allow specific inbound traffic from:
Unfortunately, you can not specify anything more complex, like "allow access from any instance that does not have a public IP" - you can only specify a source security group. As you correctly assumed, security groups listed in
Source
field can be regarded as labels.So, in your case, configuration should be as follows:
sg-access-from should be set up to allow connections via 22/TCP from EC2 instances that belong to sg-private-group. However, it is going to be your responsibility to make sure that all EC2 instances belonging to sg-private-group indeed do not have any public IP addresses.
For more detail look at AWS Security Groups document: