AWS SG, allow public IP from other SG
Clash Royale CLAN TAG#URR8PPP
up vote
4
down vote
favorite
I have two instances in a VPC distinct security groups, each with their own public IP. I would like instance one to be able to connect to instance two on it's Public IP. I discovered that granting access to the security group, only allows access to the private IP, not the Public IP.
I have now defined my Security Group to allow access to the Public IP of the instance which resides in the other Security Group. However, this is inconvenient, as I can't easily automate this (think Ansible), since I will first need to perform a lookup of the DNS name, before I can add it to the group.
Does anyone know of a simpler way of doing this?
To summarize:
- Instance 1 -> 1.2.3.4
- Instance 2 -> 5.6.7.8
Instance 1 is required to access Instance 2 on it's Public IP.
I currenty end up having to manually lookup what the IP of instance 1 is and in turn add that to the security group of Instance 2.
amazon-web-services amazon-ec2 amazon-elastic-ip security-groups
New contributor
add a comment |Â
up vote
4
down vote
favorite
I have two instances in a VPC distinct security groups, each with their own public IP. I would like instance one to be able to connect to instance two on it's Public IP. I discovered that granting access to the security group, only allows access to the private IP, not the Public IP.
I have now defined my Security Group to allow access to the Public IP of the instance which resides in the other Security Group. However, this is inconvenient, as I can't easily automate this (think Ansible), since I will first need to perform a lookup of the DNS name, before I can add it to the group.
Does anyone know of a simpler way of doing this?
To summarize:
- Instance 1 -> 1.2.3.4
- Instance 2 -> 5.6.7.8
Instance 1 is required to access Instance 2 on it's Public IP.
I currenty end up having to manually lookup what the IP of instance 1 is and in turn add that to the security group of Instance 2.
amazon-web-services amazon-ec2 amazon-elastic-ip security-groups
New contributor
add a comment |Â
up vote
4
down vote
favorite
up vote
4
down vote
favorite
I have two instances in a VPC distinct security groups, each with their own public IP. I would like instance one to be able to connect to instance two on it's Public IP. I discovered that granting access to the security group, only allows access to the private IP, not the Public IP.
I have now defined my Security Group to allow access to the Public IP of the instance which resides in the other Security Group. However, this is inconvenient, as I can't easily automate this (think Ansible), since I will first need to perform a lookup of the DNS name, before I can add it to the group.
Does anyone know of a simpler way of doing this?
To summarize:
- Instance 1 -> 1.2.3.4
- Instance 2 -> 5.6.7.8
Instance 1 is required to access Instance 2 on it's Public IP.
I currenty end up having to manually lookup what the IP of instance 1 is and in turn add that to the security group of Instance 2.
amazon-web-services amazon-ec2 amazon-elastic-ip security-groups
New contributor
I have two instances in a VPC distinct security groups, each with their own public IP. I would like instance one to be able to connect to instance two on it's Public IP. I discovered that granting access to the security group, only allows access to the private IP, not the Public IP.
I have now defined my Security Group to allow access to the Public IP of the instance which resides in the other Security Group. However, this is inconvenient, as I can't easily automate this (think Ansible), since I will first need to perform a lookup of the DNS name, before I can add it to the group.
Does anyone know of a simpler way of doing this?
To summarize:
- Instance 1 -> 1.2.3.4
- Instance 2 -> 5.6.7.8
Instance 1 is required to access Instance 2 on it's Public IP.
I currenty end up having to manually lookup what the IP of instance 1 is and in turn add that to the security group of Instance 2.
amazon-web-services amazon-ec2 amazon-elastic-ip security-groups
amazon-web-services amazon-ec2 amazon-elastic-ip security-groups
New contributor
New contributor
New contributor
asked 3 hours ago
darkl0rd
212
212
New contributor
New contributor
add a comment |Â
add a comment |Â
2 Answers
2
active
oldest
votes
up vote
2
down vote
Typically you'd create a named security group, attach it to those instances, and add a rule which references this security group as a source and allow the needed destination ports.
Final picture:
- All instances needed to communicate with each other have the
created security group
attached. - The
created security group
contains rules which state inbound fromcreated security group
todestination port you need
- Often there are no outbound rules included, as secutity groups are stateful. But feel free to add what is needed.
So basically not even a single ip is needed, and allow/deny can be controlled by attaching the security group to resources where access is needed. This method also works nicely with dynamic environments (e.g. autoscaled).
I'm not sure if Security Group ID works as a source for traffic over Public IPs. I don't think so, but I may be wrong.
â MLu
2 hours ago
add a comment |Â
up vote
2
down vote
I'm afraid that as soon as you go out to the Public IPs you no longer can use the Security Group ID as the Source in the target SG. That only works for Private IPs.
However if you create the Instance 1 through Ansible you can then use the Ansible facts for the instance to obtain its Public IP and set it as a source in the Instance 2 SG. Something like this should do:
- name: Create Instance 1
ec2:
key_name: mykey
instance_type: t2.micro
image: ami-123456
wait: yes
assign_public_ip: yes <<< Assign Public IP
register: ec2
And then you can add it as a source to the Instance 2 Security Group:
- name: Instance 2 SG
ec2_group:
name: ...
rules:
- proto: tcp
ports:
- 80
cidr_ip: " ec2.instances.public_ip " <<< Use it here
Something along these lines should let you do the automation with Ansible.
Hope that helps :)
add a comment |Â
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
2
down vote
Typically you'd create a named security group, attach it to those instances, and add a rule which references this security group as a source and allow the needed destination ports.
Final picture:
- All instances needed to communicate with each other have the
created security group
attached. - The
created security group
contains rules which state inbound fromcreated security group
todestination port you need
- Often there are no outbound rules included, as secutity groups are stateful. But feel free to add what is needed.
So basically not even a single ip is needed, and allow/deny can be controlled by attaching the security group to resources where access is needed. This method also works nicely with dynamic environments (e.g. autoscaled).
I'm not sure if Security Group ID works as a source for traffic over Public IPs. I don't think so, but I may be wrong.
â MLu
2 hours ago
add a comment |Â
up vote
2
down vote
Typically you'd create a named security group, attach it to those instances, and add a rule which references this security group as a source and allow the needed destination ports.
Final picture:
- All instances needed to communicate with each other have the
created security group
attached. - The
created security group
contains rules which state inbound fromcreated security group
todestination port you need
- Often there are no outbound rules included, as secutity groups are stateful. But feel free to add what is needed.
So basically not even a single ip is needed, and allow/deny can be controlled by attaching the security group to resources where access is needed. This method also works nicely with dynamic environments (e.g. autoscaled).
I'm not sure if Security Group ID works as a source for traffic over Public IPs. I don't think so, but I may be wrong.
â MLu
2 hours ago
add a comment |Â
up vote
2
down vote
up vote
2
down vote
Typically you'd create a named security group, attach it to those instances, and add a rule which references this security group as a source and allow the needed destination ports.
Final picture:
- All instances needed to communicate with each other have the
created security group
attached. - The
created security group
contains rules which state inbound fromcreated security group
todestination port you need
- Often there are no outbound rules included, as secutity groups are stateful. But feel free to add what is needed.
So basically not even a single ip is needed, and allow/deny can be controlled by attaching the security group to resources where access is needed. This method also works nicely with dynamic environments (e.g. autoscaled).
Typically you'd create a named security group, attach it to those instances, and add a rule which references this security group as a source and allow the needed destination ports.
Final picture:
- All instances needed to communicate with each other have the
created security group
attached. - The
created security group
contains rules which state inbound fromcreated security group
todestination port you need
- Often there are no outbound rules included, as secutity groups are stateful. But feel free to add what is needed.
So basically not even a single ip is needed, and allow/deny can be controlled by attaching the security group to resources where access is needed. This method also works nicely with dynamic environments (e.g. autoscaled).
edited 2 hours ago
answered 2 hours ago
hargut
65916
65916
I'm not sure if Security Group ID works as a source for traffic over Public IPs. I don't think so, but I may be wrong.
â MLu
2 hours ago
add a comment |Â
I'm not sure if Security Group ID works as a source for traffic over Public IPs. I don't think so, but I may be wrong.
â MLu
2 hours ago
I'm not sure if Security Group ID works as a source for traffic over Public IPs. I don't think so, but I may be wrong.
â MLu
2 hours ago
I'm not sure if Security Group ID works as a source for traffic over Public IPs. I don't think so, but I may be wrong.
â MLu
2 hours ago
add a comment |Â
up vote
2
down vote
I'm afraid that as soon as you go out to the Public IPs you no longer can use the Security Group ID as the Source in the target SG. That only works for Private IPs.
However if you create the Instance 1 through Ansible you can then use the Ansible facts for the instance to obtain its Public IP and set it as a source in the Instance 2 SG. Something like this should do:
- name: Create Instance 1
ec2:
key_name: mykey
instance_type: t2.micro
image: ami-123456
wait: yes
assign_public_ip: yes <<< Assign Public IP
register: ec2
And then you can add it as a source to the Instance 2 Security Group:
- name: Instance 2 SG
ec2_group:
name: ...
rules:
- proto: tcp
ports:
- 80
cidr_ip: " ec2.instances.public_ip " <<< Use it here
Something along these lines should let you do the automation with Ansible.
Hope that helps :)
add a comment |Â
up vote
2
down vote
I'm afraid that as soon as you go out to the Public IPs you no longer can use the Security Group ID as the Source in the target SG. That only works for Private IPs.
However if you create the Instance 1 through Ansible you can then use the Ansible facts for the instance to obtain its Public IP and set it as a source in the Instance 2 SG. Something like this should do:
- name: Create Instance 1
ec2:
key_name: mykey
instance_type: t2.micro
image: ami-123456
wait: yes
assign_public_ip: yes <<< Assign Public IP
register: ec2
And then you can add it as a source to the Instance 2 Security Group:
- name: Instance 2 SG
ec2_group:
name: ...
rules:
- proto: tcp
ports:
- 80
cidr_ip: " ec2.instances.public_ip " <<< Use it here
Something along these lines should let you do the automation with Ansible.
Hope that helps :)
add a comment |Â
up vote
2
down vote
up vote
2
down vote
I'm afraid that as soon as you go out to the Public IPs you no longer can use the Security Group ID as the Source in the target SG. That only works for Private IPs.
However if you create the Instance 1 through Ansible you can then use the Ansible facts for the instance to obtain its Public IP and set it as a source in the Instance 2 SG. Something like this should do:
- name: Create Instance 1
ec2:
key_name: mykey
instance_type: t2.micro
image: ami-123456
wait: yes
assign_public_ip: yes <<< Assign Public IP
register: ec2
And then you can add it as a source to the Instance 2 Security Group:
- name: Instance 2 SG
ec2_group:
name: ...
rules:
- proto: tcp
ports:
- 80
cidr_ip: " ec2.instances.public_ip " <<< Use it here
Something along these lines should let you do the automation with Ansible.
Hope that helps :)
I'm afraid that as soon as you go out to the Public IPs you no longer can use the Security Group ID as the Source in the target SG. That only works for Private IPs.
However if you create the Instance 1 through Ansible you can then use the Ansible facts for the instance to obtain its Public IP and set it as a source in the Instance 2 SG. Something like this should do:
- name: Create Instance 1
ec2:
key_name: mykey
instance_type: t2.micro
image: ami-123456
wait: yes
assign_public_ip: yes <<< Assign Public IP
register: ec2
And then you can add it as a source to the Instance 2 Security Group:
- name: Instance 2 SG
ec2_group:
name: ...
rules:
- proto: tcp
ports:
- 80
cidr_ip: " ec2.instances.public_ip " <<< Use it here
Something along these lines should let you do the automation with Ansible.
Hope that helps :)
answered 2 hours ago
MLu
4,11311632
4,11311632
add a comment |Â
add a comment |Â
darkl0rd is a new contributor. Be nice, and check out our Code of Conduct.
darkl0rd is a new contributor. Be nice, and check out our Code of Conduct.
darkl0rd is a new contributor. Be nice, and check out our Code of Conduct.
darkl0rd is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f938758%2faws-sg-allow-public-ip-from-other-sg%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password