I have an Amazon Beanstalk Load Balancer setup which adds / removes ec2 servers as needed. The security group for this load balancer is called prod-sc.
I also have an Amazon EC2 instance using security group elasticsearch-sc.
Now I need elasticsearch-sc to allow port 9200 to be accessed from prod-sc
However everytime I try to configure this in the elasticsearch-sc by providing the prod-sc Group ID, I get an error saying
Could not update your security group rules (No changes were made): You may not define rules between a VPC group and a non-VPC group.
How can I give prod-sc access to elasticsearch-sc?
Can you try creating elasticsearch-sc as a VPC security group?
Read the guide for more details.
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html
http://docs.aws.amazon.com/cli/latest/reference/ec2/create-security-group.html
Related
I have a RDS databse with status as Running however it is now showing in my EC2 Security Groups. The only instances showing are:
default VPC security group
Securtiy Group for Elastic Beanstalk
Elastic Beanstalk created security group
Why is the RDS database not showing in the EC2 Security Groups?
RDS settings:
enter image description here
The typical security setup would be:
A Security Group on the Amazon EC2 instances created by Elastic Beanstalk (App-SG) with adequate inbound rules for users to access the app (or perhaps from a Load Balancer -- I'll assume you have that configured correctly)
A Security Group on the Amazon RDS database (DB-SG) with an inbound rule that permits access from App-SG on the database port
That is, DB-SG should specifically reference the App-SG in its inbound rules. This will give permission for any of the EC2 instances to connect to the database.
Feel free to create new Security Groups with appropriate names and rules, then associate those Security Groups with the EC2 instances (via Elastic Beanstalk) and the database. You do not need to keep using the Default security group.
I am trying to understand this statement:
"You can reference AWS Security Groups from other Security Groups."
What exactly does this mean?
This is how I understood this. I created a security group and call it "SG-10" and attached it to an instance "EC2-10". The SG "SG-10" has allow port 443 defined inside it.
Now, I create a security group and call it "SG-20" and attached this to an instance "EC2-20". This also has port 443 allowed. Now, if I call "SG-10" inside "SG-20" does this mean that "EC2-10" will be able to connect to "EC2-20" on port 443.?
Regards,
Nik.
if I call "SG-10" inside "SG-20"
No, you can not call a security group, this does not make any sense.
If a security group A references security group B, it does mean that the instance to which the security group A is attached allows inbound or outbound traffic to another instance to which security group B is attached. But if you want to send traffic form instance with security group A to the instance with security group B, you have to use the IP or the DNS of the instance B.
Usually the reason why we would want to reference a security group instead of an IP, is that the IP might change over time or it is not exposed at all. A fairly common example is having an application load balancer (ALB) and a group of EC2 instances which allow traffic only from the ALB. The IP address of the ALB changes over time, so in order to be able to receive traffic from the ALB, we can reference the security group attached to it.
In we want to reference a security group from another security group, we have to edit the rules of the initial security group:
As an example of referencing security groups, imagine a 3-tier architecture:
A Load Balancer receiving traffic from the Internet and sending requests to an Amazon EC2 instance
An Amazon EC2 instance receiving requests from the Load Balancer and sending queries to an Amazon RDS database
An Amazon RDS database receiving requests from the EC2 instance
This would involve 3 security groups:
A security group on the Load Balancer (LB-SG) that allows incoming traffic on port 80/443.
A security group on the EC2 instance (App-SG) that allows incoming traffic on port 80 only from the load balancer. It does this by setting the source to LB-SG.
A security group on the RDS database (DB-SG) that allows incoming traffic on the relevant port (eg 3306) only from the EC2 instance. It does this by setting the source to App-SG.
All security groups allow All Outbound Traffic.
By referencing other security groups, resources can be added/removed without having to change the security groups. For example, another EC2 instance could be launched and assigned the App-SG security group. This new instance would then be able to communicate with the database since DB-SG allows incoming traffic from App-SG, without being tied to any specific IP addresses.
If a resource is associated with multiple security groups, then all rules apply to the resource. Security Groups only say what is 'Allowed'. They do not include 'Deny' rules.
In your SG-10/SG-20 example, you do not mention the source of the traffic, so it is not possible to answer your question. If you want EC2-20 to accept connections from EC2-10, then the SG-20 security group should allow connections with the Source set to SG-10.
As an aside, I should mention that Network ACLs should normally be left at their default "Allow All" settings unless there is a specific networking requirement (eg creating a DMZ).
I've been burned on this before by trying to connect to an EC2 instance's public address... sounds very similar to your setup. Please check this question: Source Security group isnt working as expected in aws. Actually. When you wire up the inbound rule so that the source is a security group, you must communicate through the source instance's private address.
I have hosted my magento2 site in AWS auto-scaling and using Redis/Elasticache, RDS. How I can ensure my Redis and RDS are accessible only from dynamic instances creating in auto-scaling.
You can put Redis/Elasticache, RDS inside a security group and configure its Security Group Inbound rule to only allow the traffic from Security Group of Instances from AWS AutoScaling.
Something like below shown in the picture. Configuring Security Group's inbound rule to allow traffic from different Security Group which will restrict all the other traffic to enter except from the configured Security Group.
More details can be found below :
Security Group for ElastiCache
RDS Security Group
I am trying to deploy Spring Boot Application with AWS Elastic Beanstalk. Instead of using default settings for the environment, I modified something under "VPC". After picking availability zone and one of the security groups for the VPC, I created the environment.
However when I looked at the instance detail after it is created, I noticed it is tied to two security groups. Other than the one I chose sg-98c031f3, it has another newly-generated security group sg-72b94919.
Why does it create two security groups for the environment when I selected only one group? Is there a way to remove one of them since one security group is enough to handle all the rules.
Elastic Beanstalk will always create and utilize one security group that gets attached to the EC2 instance. This group is managed by Elastic Beanstalk and it's primary purpose is to allow inbound connections from your load balancer.
(It also has a secondary purpose of allowing inbound SSH connections if you have selected a keypair for your EC2 instances)
Elastic Beanstalk allows you to select 0 or more additional security groups to attach to your EC2 instances. Note that you do not need to select any security groups if you don't want to. This is so that you can add additional inbound/outbound rules for your EC2 instances without needing to modify the EB-managed one.
Some reasons why you might want to add additional security groups:
To allow more inbound ports (for example, RDP)
To allow outbound network connections (for example, NTP)
To act as sources and targets for other security group rules (for example, allow connections from your selected security group into your RDS instances)
I should start by saying that this is only me playing with AWS, which is why there is nothing about configuring VPC and subnets.
I'd like to launch 2 EC2 instances with an Apache server inside through a Scaling Group. I'd also like these instances get registered with an ELB and be only reachable through the ELB (so no direct access to instances). I associated ELB with both VPC's default Security Group and a custom one that allows inbound requests from my IP via part 80. On the other hand, I configured a Launch Configuration (as part of creating the Scaling Group) that associates instances with only VPC's default security group.
Problems
1- ELB can't reach instances and fails health check. If I create another Launch Configuration that associate instances with both default and my custom security groups, ELB can then reach instances. Why? The custom security group has only inbound rules from my IP.
2- Even if I change the instances' network configuration directly and associate the custom Security Group, it makes no difference. I have to recreate the Launch Configuration and Scaling Group with new configuration so that when created, the the new association gets propagated to instances. Is this an expected behaviour? Why wouldn't AWS console then disable the options to edit instance's config if they're launched through Scaling Groups.