AWS SG, allow public IP from other SG

Clash Royale CLAN TAG#URR8PPP

up vote
4
down vote

favorite

I have two instances in a VPC distinct security groups, each with their own public IP. I would like instance one to be able to connect to instance two on it's Public IP. I discovered that granting access to the security group, only allows access to the private IP, not the Public IP.

I have now defined my Security Group to allow access to the Public IP of the instance which resides in the other Security Group. However, this is inconvenient, as I can't easily automate this (think Ansible), since I will first need to perform a lookup of the DNS name, before I can add it to the group.

Does anyone know of a simpler way of doing this?

To summarize:

• Instance 1 -> 1.2.3.4


• Instance 2 -> 5.6.7.8

Instance 1 is required to access Instance 2 on it's Public IP.
I currenty end up having to manually lookup what the IP of instance 1 is and in turn add that to the security group of Instance 2.

amazon-web-services amazon-ec2 amazon-elastic-ip security-groups

share|improve this question

asked 3 hours ago

darkl0rd

212

New contributor

darkl0rd is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

up vote
4
down vote

favorite

I have two instances in a VPC distinct security groups, each with their own public IP. I would like instance one to be able to connect to instance two on it's Public IP. I discovered that granting access to the security group, only allows access to the private IP, not the Public IP.

I have now defined my Security Group to allow access to the Public IP of the instance which resides in the other Security Group. However, this is inconvenient, as I can't easily automate this (think Ansible), since I will first need to perform a lookup of the DNS name, before I can add it to the group.

Does anyone know of a simpler way of doing this?

To summarize:

• Instance 1 -> 1.2.3.4


• Instance 2 -> 5.6.7.8

Instance 1 is required to access Instance 2 on it's Public IP.
I currenty end up having to manually lookup what the IP of instance 1 is and in turn add that to the security group of Instance 2.

amazon-web-services amazon-ec2 amazon-elastic-ip security-groups

share|improve this question

asked 3 hours ago

darkl0rd

212

New contributor

darkl0rd is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

up vote
4
down vote

favorite

up vote
4
down vote

favorite

I have two instances in a VPC distinct security groups, each with their own public IP. I would like instance one to be able to connect to instance two on it's Public IP. I discovered that granting access to the security group, only allows access to the private IP, not the Public IP.

I have now defined my Security Group to allow access to the Public IP of the instance which resides in the other Security Group. However, this is inconvenient, as I can't easily automate this (think Ansible), since I will first need to perform a lookup of the DNS name, before I can add it to the group.

Does anyone know of a simpler way of doing this?

To summarize:

• Instance 1 -> 1.2.3.4


• Instance 2 -> 5.6.7.8

Instance 1 is required to access Instance 2 on it's Public IP.
I currenty end up having to manually lookup what the IP of instance 1 is and in turn add that to the security group of Instance 2.

amazon-web-services amazon-ec2 amazon-elastic-ip security-groups

share|improve this question

asked 3 hours ago

darkl0rd

212

New contributor

darkl0rd is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

I have two instances in a VPC distinct security groups, each with their own public IP. I would like instance one to be able to connect to instance two on it's Public IP. I discovered that granting access to the security group, only allows access to the private IP, not the Public IP.

I have now defined my Security Group to allow access to the Public IP of the instance which resides in the other Security Group. However, this is inconvenient, as I can't easily automate this (think Ansible), since I will first need to perform a lookup of the DNS name, before I can add it to the group.

Does anyone know of a simpler way of doing this?

To summarize:

• Instance 1 -> 1.2.3.4


• Instance 2 -> 5.6.7.8

Instance 1 is required to access Instance 2 on it's Public IP.
I currenty end up having to manually lookup what the IP of instance 1 is and in turn add that to the security group of Instance 2.

amazon-web-services amazon-ec2 amazon-elastic-ip security-groups

amazon-web-services amazon-ec2 amazon-elastic-ip security-groups

share|improve this question

asked 3 hours ago

darkl0rd

212

New contributor

darkl0rd is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

asked 3 hours ago

darkl0rd

212

New contributor

darkl0rd is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

share|improve this question

asked 3 hours ago

darkl0rd

212

New contributor

darkl0rd is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

asked 3 hours ago

darkl0rd

212

asked 3 hours ago

darkl0rd

212

212

New contributor

darkl0rd is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

New contributor

darkl0rd is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

darkl0rd is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

add a comment | 

2 Answers
2

active

oldest

votes

up vote
2
down vote

Typically you'd create a named security group, attach it to those instances, and add a rule which references this security group as a source and allow the needed destination ports.

Final picture:

• All instances needed to communicate with each other have the created security group attached.


• The created security group contains rules which state inbound from created security group to destination port you need
  


• Often there are no outbound rules included, as secutity groups are stateful. But feel free to add what is needed.

So basically not even a single ip is needed, and allow/deny can be controlled by attaching the security group to resources where access is needed. This method also works nicely with dynamic environments (e.g. autoscaled).

share|improve this answer

edited 2 hours ago

answered 2 hours ago

hargut

65916

• 
  
  
  

  
  

  
  
  
  
  
  

  
  I'm not sure if Security Group ID works as a source for traffic over Public IPs. I don't think so, but I may be wrong.
  – MLu
  2 hours ago
  
  

  
  
  
  

add a comment | 

up vote
2
down vote

I'm afraid that as soon as you go out to the Public IPs you no longer can use the Security Group ID as the Source in the target SG. That only works for Private IPs.

However if you create the Instance 1 through Ansible you can then use the Ansible facts for the instance to obtain its Public IP and set it as a source in the Instance 2 SG. Something like this should do:

- name: Create Instance 1
 ec2:
 key_name: mykey
 instance_type: t2.micro
 image: ami-123456
 wait: yes
 assign_public_ip: yes <<< Assign Public IP
 register: ec2

And then you can add it as a source to the Instance 2 Security Group:

- name: Instance 2 SG
 ec2_group:
 name: ...
 rules:
 - proto: tcp
 ports:
 - 80
 cidr_ip: " ec2.instances.public_ip " <<< Use it here

Something along these lines should let you do the automation with Ansible.

Hope that helps :)

share|improve this answer

answered 2 hours ago

MLu

4,11311632

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

darkl0rd is a new contributor. Be nice, and check out our Code of Conduct.

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f938758%2faws-sg-allow-public-ip-from-other-sg%23new-answer', 'question_page');

);

Post as a guest

Name Email

2 Answers
2

active

oldest

votes

2 Answers
2

active

oldest

votes

active

oldest

votes

active

oldest

votes

up vote
2
down vote

Typically you'd create a named security group, attach it to those instances, and add a rule which references this security group as a source and allow the needed destination ports.

Final picture:

• All instances needed to communicate with each other have the created security group attached.


• The created security group contains rules which state inbound from created security group to destination port you need
  


• Often there are no outbound rules included, as secutity groups are stateful. But feel free to add what is needed.

So basically not even a single ip is needed, and allow/deny can be controlled by attaching the security group to resources where access is needed. This method also works nicely with dynamic environments (e.g. autoscaled).

share|improve this answer

edited 2 hours ago

answered 2 hours ago

hargut

65916

• 
  
  
  

  
  

  
  
  
  
  
  

  
  I'm not sure if Security Group ID works as a source for traffic over Public IPs. I don't think so, but I may be wrong.
  – MLu
  2 hours ago
  
  

  
  
  
  

add a comment | 

up vote
2
down vote

Typically you'd create a named security group, attach it to those instances, and add a rule which references this security group as a source and allow the needed destination ports.

Final picture:

• All instances needed to communicate with each other have the created security group attached.


• The created security group contains rules which state inbound from created security group to destination port you need
  


• Often there are no outbound rules included, as secutity groups are stateful. But feel free to add what is needed.

So basically not even a single ip is needed, and allow/deny can be controlled by attaching the security group to resources where access is needed. This method also works nicely with dynamic environments (e.g. autoscaled).

share|improve this answer

edited 2 hours ago

answered 2 hours ago

hargut

65916

• 
  
  
  

  
  

  
  
  
  
  
  

  
  I'm not sure if Security Group ID works as a source for traffic over Public IPs. I don't think so, but I may be wrong.
  – MLu
  2 hours ago
  
  

  
  
  
  

add a comment | 

up vote
2
down vote

up vote
2
down vote

Typically you'd create a named security group, attach it to those instances, and add a rule which references this security group as a source and allow the needed destination ports.

Final picture:

• All instances needed to communicate with each other have the created security group attached.


• The created security group contains rules which state inbound from created security group to destination port you need
  


• Often there are no outbound rules included, as secutity groups are stateful. But feel free to add what is needed.

So basically not even a single ip is needed, and allow/deny can be controlled by attaching the security group to resources where access is needed. This method also works nicely with dynamic environments (e.g. autoscaled).

share|improve this answer

edited 2 hours ago

answered 2 hours ago

hargut

65916

Typically you'd create a named security group, attach it to those instances, and add a rule which references this security group as a source and allow the needed destination ports.

Final picture:

• All instances needed to communicate with each other have the created security group attached.


• The created security group contains rules which state inbound from created security group to destination port you need
  


• Often there are no outbound rules included, as secutity groups are stateful. But feel free to add what is needed.

So basically not even a single ip is needed, and allow/deny can be controlled by attaching the security group to resources where access is needed. This method also works nicely with dynamic environments (e.g. autoscaled).

share|improve this answer

edited 2 hours ago

answered 2 hours ago

hargut

65916

share|improve this answer

share|improve this answer

edited 2 hours ago

edited 2 hours ago

edited 2 hours ago

answered 2 hours ago

hargut

65916

answered 2 hours ago

hargut

65916

answered 2 hours ago

hargut

65916

65916

• 
  
  
  

  
  

  
  
  
  
  
  

  
  I'm not sure if Security Group ID works as a source for traffic over Public IPs. I don't think so, but I may be wrong.
  – MLu
  2 hours ago
  
  

  
  
  
  

add a comment | 

• 
  
  
  

  
  

  
  
  
  
  
  

  
  I'm not sure if Security Group ID works as a source for traffic over Public IPs. I don't think so, but I may be wrong.
  – MLu
  2 hours ago
  
  

  
  
  
  

I'm not sure if Security Group ID works as a source for traffic over Public IPs. I don't think so, but I may be wrong.
– MLu
2 hours ago

I'm not sure if Security Group ID works as a source for traffic over Public IPs. I don't think so, but I may be wrong.
– MLu
2 hours ago

add a comment | 

up vote
2
down vote

I'm afraid that as soon as you go out to the Public IPs you no longer can use the Security Group ID as the Source in the target SG. That only works for Private IPs.

However if you create the Instance 1 through Ansible you can then use the Ansible facts for the instance to obtain its Public IP and set it as a source in the Instance 2 SG. Something like this should do:

- name: Create Instance 1
 ec2:
 key_name: mykey
 instance_type: t2.micro
 image: ami-123456
 wait: yes
 assign_public_ip: yes <<< Assign Public IP
 register: ec2

And then you can add it as a source to the Instance 2 Security Group:

- name: Instance 2 SG
 ec2_group:
 name: ...
 rules:
 - proto: tcp
 ports:
 - 80
 cidr_ip: " ec2.instances.public_ip " <<< Use it here

Something along these lines should let you do the automation with Ansible.

Hope that helps :)

share|improve this answer

answered 2 hours ago

MLu

4,11311632

add a comment | 

up vote
2
down vote

I'm afraid that as soon as you go out to the Public IPs you no longer can use the Security Group ID as the Source in the target SG. That only works for Private IPs.

However if you create the Instance 1 through Ansible you can then use the Ansible facts for the instance to obtain its Public IP and set it as a source in the Instance 2 SG. Something like this should do:

- name: Create Instance 1
 ec2:
 key_name: mykey
 instance_type: t2.micro
 image: ami-123456
 wait: yes
 assign_public_ip: yes <<< Assign Public IP
 register: ec2

And then you can add it as a source to the Instance 2 Security Group:

- name: Instance 2 SG
 ec2_group:
 name: ...
 rules:
 - proto: tcp
 ports:
 - 80
 cidr_ip: " ec2.instances.public_ip " <<< Use it here

Something along these lines should let you do the automation with Ansible.

Hope that helps :)

share|improve this answer

answered 2 hours ago

MLu

4,11311632

add a comment | 

up vote
2
down vote

up vote
2
down vote

I'm afraid that as soon as you go out to the Public IPs you no longer can use the Security Group ID as the Source in the target SG. That only works for Private IPs.

However if you create the Instance 1 through Ansible you can then use the Ansible facts for the instance to obtain its Public IP and set it as a source in the Instance 2 SG. Something like this should do:

- name: Create Instance 1
 ec2:
 key_name: mykey
 instance_type: t2.micro
 image: ami-123456
 wait: yes
 assign_public_ip: yes <<< Assign Public IP
 register: ec2

And then you can add it as a source to the Instance 2 Security Group:

- name: Instance 2 SG
 ec2_group:
 name: ...
 rules:
 - proto: tcp
 ports:
 - 80
 cidr_ip: " ec2.instances.public_ip " <<< Use it here

Something along these lines should let you do the automation with Ansible.

Hope that helps :)

share|improve this answer

answered 2 hours ago

MLu

4,11311632

I'm afraid that as soon as you go out to the Public IPs you no longer can use the Security Group ID as the Source in the target SG. That only works for Private IPs.

However if you create the Instance 1 through Ansible you can then use the Ansible facts for the instance to obtain its Public IP and set it as a source in the Instance 2 SG. Something like this should do:

- name: Create Instance 1
 ec2:
 key_name: mykey
 instance_type: t2.micro
 image: ami-123456
 wait: yes
 assign_public_ip: yes <<< Assign Public IP
 register: ec2

And then you can add it as a source to the Instance 2 Security Group:

- name: Instance 2 SG
 ec2_group:
 name: ...
 rules:
 - proto: tcp
 ports:
 - 80
 cidr_ip: " ec2.instances.public_ip " <<< Use it here

Something along these lines should let you do the automation with Ansible.

Hope that helps :)

share|improve this answer

answered 2 hours ago

MLu

4,11311632

share|improve this answer

share|improve this answer

answered 2 hours ago

MLu

4,11311632

answered 2 hours ago

MLu

4,11311632

answered 2 hours ago

MLu

4,11311632

4,11311632

add a comment | 

add a comment | 

darkl0rd is a new contributor. Be nice, and check out our Code of Conduct.

 

draft saved

draft discarded

darkl0rd is a new contributor. Be nice, and check out our Code of Conduct.

darkl0rd is a new contributor. Be nice, and check out our Code of Conduct.

darkl0rd is a new contributor. Be nice, and check out our Code of Conduct.

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f938758%2faws-sg-allow-public-ip-from-other-sg%23new-answer', 'question_page');

);

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Name Email

Name

Email

Name Email

Name

Email