What happens when I assign multiple security groups to an instance? Is it permissive in the sense that the traffic is allowed in if any one of the security groups allows it. OR is it restrictive in the sense that every security group must allow the traffic in for it to be passed in?
For example, lets say I have a class of instances that will only ever talk to other instances in the same account. I also have a class of instances that will only accept traffic via HTTP (port 80).
Is it possible to restrict access to internal instances and only via HTTP by creating and applying two security groups:
- An "internal" security group. Allow all traffic in from other members of that security group on all ports for all transports (TCP, UDP, ICMP)
- Create an "http" security group. Allow all traffic into port 80 via TCP from any source.
OR am I forced to create a single security group that allows traffic from port 80 where the source is itself?
Best Answer
If an instance has multiple security groups, it has the sum of all rules in the various groups.
This is a perfect situation for AWS Virtual Private Cloud. Put the internal instances in private subnets, and the public-facing instances in public subnets.