We'd like to be able to access the instances in our VPC from the various public IPs that we have in our corporate network. Is it possible to create security groups (like operator-security-group) and put rules on it that are inherited when applied to instances of an existing security group?
I tried the following configuration and it didn't work:
sg-operator (security group created not associate an any instance)
port 3389 source my ip: 10.10.10.10
sg-server1 (security group associate an instance)
port 3389 source "sg-operator"
It seems to me that rules added in security groups only work when they are directly associated with the instance, is there another way?
Best Answer
Security group rules aren't able to be inherited by other groups. What you need to do is to create your sg-operators security group and then apply it to a group of instances directly, which you can easily do in a VPC (not in Classic).
Background: Adding an allow rule for a security group to an existing security group means that the instances in the source security group are able to communicate with the instances in the existing security group over the specified ports and protocols. It doesn't mean that any traffic that's allowed in by an attached security group is allowed in to an associated security group, which is really a better solution.
This lets you do things like define a database server security group for your DB servers and then create a rule to allow traffic on port 3306 from instances in the web server security group.