What are ingress security groups in AWS / Terraform

amazon-web-servicessecurity-groupsterraform

When defining an AWS security group in Terraform, you can set up inbound/ingress configurations. However, these ingress configurations can also point at other security groups.
The terraform documentation simply says "(Optional) List of security group Group Names if using EC2-Classic, or Group IDs if using a VPC."

What does this accomplish? I don't see any place in the AWS management console where this can be reproduced.

resource "aws_security_group" "new_security_group" {
    vpc_id = "${var.vpc_id}"

    ingress {
        protocol = "tcp"
        security_groups = ["${var.load_balancer_security_group_id}"]
        from_port = 80
        to_port = 80
    }

    ingress {
        protocol = "tcp"
        security_groups = ["${var.load_balancer_security_group_id"]
        from_port = 443
        to_port = 443
    }
}

In the example I ran across each of the ingress ports reference an entirely separate security group set up for an elastic load balancer.

Best Answer

This allows you to set up rules like "allow the webserver security group to access the database security group group on port 3306", and is possible via the AWS Console as well - just start typing the name of a security group in the IP field when setting up a rule.

Related Solutions

Can’t Connect to EC2 Instance in VPC – Troubleshooting Guide

To communicate outside of the VPC, each non-default subnet needs a routing table and an internet gateway associated to it (the default subnets get an external gateway and a routing table by default).

Depending on the way you have created public subnet in the VPC, you might need to explicitly add them additionally. Your VPC setup sounds like it matches Scenario 1 - a private cloud (VPC) with a single public subnet, and an Internet gateway to enable communication over the Internet from the AWS VPC documentation.

You will need to add an internet gateway to your VPC and inside the Public subnet's routing table assign 0.0.0.0/0 (default route) to go to the assigned internet gateway. There is a nice illustration of the exact network topology inside the documentation.

Also, for more information, you can check the VPC Internet Gateway AWS documentation. Unfortunately it's a little messy and a non-obvious gotcha.

For more details about connection issues, see also: Troubleshooting Connecting to Your Instance.

AWS CloudFormation: VPC default security group

Referencing the default security group is possible using:

{ "Fn::GetAtt" : ["VPC", "DefaultSecurityGroup"] }

Where "VPC" is your VPC resource name.

With AWS::EC2::SecurityGroupIngress and AWS::EC2::SecurityGroupEgress, you can augment the permissions of this default security group.

I think this is what you want:

"VPCDefaultSecurityGroupIngress": {
  "Type" : "AWS::EC2::SecurityGroupIngress",
  "Properties" : {
    "GroupId": { "Fn::GetAtt" : ["VPC", "DefaultSecurityGroup"] },
    "IpProtocol":"tcp",
    "FromPort":"22",
    "ToPort":"22",
    "CidrIp":"0.0.0.0/0"
  }
},

As mentioned by @artbristol and @gabriel, this allows Ingress/Egress rules to be added to the default security group for the VPC in a single stack deployment.

I'm pretty sure that the self-referential problem still impacts any attempts at changing any of the other properties on the default security group of the VPC. A good example of this would be adding Tags, or a Description. If you wish to change these things, you'll have to deal with extraneous security groups laying around.

Best Answer

Related Solutions

Can’t Connect to EC2 Instance in VPC – Troubleshooting Guide

AWS CloudFormation: VPC default security group

Related Topic