Clever Geek Handbook

AWS: Security Groups Ignoring Elastic IP Traffic

I have 2 instances of AWS, i-1

and i-2

. Each of them is in a different security group: sg-1

and sg-2

, respectively. Both machines have elastic IP addresses.

sg-2

configured to allow all traffic from sg-1

, regardless of port, IP source, or protocol.

When he i-1

tries to talk to i-2

, his traffic is blocked. AWS seems to ignore the fact that traffic is i-1

actually coming from its elastic IP.

Is this expected? Is there anything I can do to get around it other than manually adding the i-1

elastic IP to sg-2

?

+3


source to share


2 answers


sg-2 is configured to allow all traffic from sg-1

When you do this, only traffic from a private IP address is allowed. However, since you are using EIP, you clearly need to allow traffic from that IP address.

Read the following: https://forums.aws.amazon.com/thread.jspa?messageID=414060



Quoting from the link above:

Out of curiosity, perhaps you are connecting using a public IP address? When you use a rule with a security group as a source, it will only match when connected over the internal network. However, the private IP address may change. If you have an Elastic IP address associated with an instance, the public DNS name appears to be static and will always resolve to the current private IP address when used from the same EC2 region. This allows you to easily connect internally without worrying about any address changes.

+9


source


You haven't provided enough information to diagnose the problem, but there are a few things to check:

  • Is I-1 definitely in SG-1? If your copies are confused, the SG rules will be wrong.
  • Does the machine in SG-2 have a firewall that can block incoming traffic even though SG rules allow it?
  • You tagged this with a VPC - do you have network ACL settings that might impede traffic flow? Are the machines private using a NAT device to go online or publicly routing through a standard AWS gateway? Can I-1 see the Internet? If you are routing through NAT, assigning EIP to the computer effectively disconnects it from the Internet, because EIP and NAT are mutually incompatible, and although I have not tried it, it can also mess up SG routing.
  • Does SG-1 have exit rules that might discourage traffic?


The answer to your question will most likely be found in the resolution of one of these questions, if the answer to any of them is "Yes".

+1


source






More articles:


All Articles