skip to Main Content

I want to access my server from an other instance, which is also within the same VPC, but my security group configuration does not allow me to do so.

My security inbound rule as follows

Port range | Protocol |  Source
22         |    TCP   |  10.0.0.0/8
  • telnet private-ip 22 -> works fine
  • telnet public-ip 22 -> does not work – I need to open 0.0.0.0/0 to be able to get it working, which I don’t want to

I get it. I don’t open the port for public, but since these two are in the same network, aren’t they supposed to be communicating? If you guys shed some light into it, I’d appreciate it.

Thanks!

2

Answers


  1. I get it. I don’t open the port for public, but since these two are in the same network, aren’t they supposed to be communicating?

    Everything works as expected. When you use private ip all traffic states within VPC. When you use public IP, the traffic first has to go to the internet and then back. It does not matter if the instance with a public IP is in same VPC or not. In other words, public ip == internet access. For that you need 0.0.0.0/0 in general.

    Login or Signup to reply.
  2. When Instance-A tries to connect with Instance-B via a Public IP address, the traffic will "come from" the public IP address. However, your Security Group is only allowing inbound connections from the 10.x range.

    If you add the Instance-A Public IP address to the Security Group, it should work correctly.

    However, I highly recommend that you communicate via private IP address because it is cheaper (1c/GB for traffic that goes out and back into the VPC), keeps traffic inside the VPC and allows the Security Groups to be referenced by name rather than IP address.

    For example:

    • A security group on Instance-A (SG-A) that permits appropriate inbound traffic and All Outbound traffic
    • A security group on Instance-B (SG-B) that permits inbound access from SG-A

    That is, SG-B specifically refers to SG-A. This means that any EC2 instance associated with SG-A would be able to communicate with any EC2 instance associated with SG-B. This ability to have rules reference other Security Groups only works when instances communicate via private IP addresses.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search