I want to access my server from an other instance, which is also within the same VPC, but my security group configuration does not allow me to do so.
My security inbound rule as follows
Port range | Protocol | Source
22 | TCP | 10.0.0.0/8
- telnet private-ip 22 -> works fine
- telnet public-ip 22 -> does not work – I need to open 0.0.0.0/0 to be able to get it working, which I don’t want to
I get it. I don’t open the port for public, but since these two are in the same network, aren’t they supposed to be communicating? If you guys shed some light into it, I’d appreciate it.
Thanks!
2
Answers
Everything works as expected. When you use private ip all traffic states within VPC. When you use public IP, the traffic first has to go to the internet and then back. It does not matter if the instance with a public IP is in same VPC or not. In other words, public ip == internet access. For that you need
0.0.0.0/0in general.When Instance-A tries to connect with Instance-B via a Public IP address, the traffic will "come from" the public IP address. However, your Security Group is only allowing inbound connections from the
10.xrange.If you add the Instance-A Public IP address to the Security Group, it should work correctly.
However, I highly recommend that you communicate via private IP address because it is cheaper (1c/GB for traffic that goes out and back into the VPC), keeps traffic inside the VPC and allows the Security Groups to be referenced by name rather than IP address.
For example:
SG-A) that permits appropriate inbound traffic and All Outbound trafficSG-B) that permits inbound access fromSG-AThat is,
SG-Bspecifically refers toSG-A. This means that any EC2 instance associated withSG-Awould be able to communicate with any EC2 instance associated withSG-B. This ability to have rules reference other Security Groups only works when instances communicate via private IP addresses.